Skip to content
 
Episode 46

Fighting Cybercrime and Tracking Malware Trends with Shyam Sundar Ramaswami

EPISODE SUMMARY

As malware attacks continue to change, we're joined by Shyam Sundar Ramaswami—Senior Research Scientist at Cisco by day and the Batman of Cybercrime by night. We discuss trends and developments in ransomware and malware attacks including new hiding places and how hackers play at emotion. Learn the best way to protect against these attacks and other advice from our featured ethical hacker hero.

Subscribe or listen now:  Apple Podcasts   Spotify   iHeartRadio

Joseph Carson:
Hello everyone. Welcome back to another episode of 401 Access Denied. I'm your host for the episode, Joseph Carson, Chief Security Scientist, and Advisory CISO here at ThycoticCentrify. And it's a pleasure to be here with you on this very exciting episode that I have a very special guest, who is going to really deep-dive and take us through the past trends of malware and where future trends will be going. So Shyam, it's fantastic to have you here. We've known each other for a long time. Do you want to give the audience a little bit of an introduction about who you are and what you do?

Shyam Sundar Ramaswami:
Hey, thanks Joseph for having me on the show. I've been following the show for a while. It would be an honor to be part of the show. And thanks for doing it. We all listen to it and we all learn from this. So thank you for doing it, first of all. Who am I? I'm obviously not the Bruce Wayne, but I'm actually the Batman. That's what I call myself. I love fighting crimes in Gotham, which is I call the internet, the Gotham. I love fighting cyber crimes, add a tinge of Batman to everything so that it's fun to do. And also, I work with Cisco as a senior research scientist and then predominantly dealing with malware attachments and threats that deals with emails that are malwares. So that's what I do for a living. And I've done two TED Talks. I've also authored a book which is out in the market. You can go to the Amazon and check it. It's called It’s Your Digital Life. And that's me. So, that's me.

Joseph Carson:
Fantastic. We met probably around five or six years, I can't remember. It was quite a few years ago we met at a conference, which we have actually upcoming, which is the Qubit Conference, which is one of my favorite Zoom conferences to go to. And that's where we met. I always recall, every time I see some Batman memorabilia software it always reminds me of you. Because when you did your talk and you always bring Batman into it and fighting crime, it makes it entertaining. It makes it very interesting and appealing. So definitely it's something that makes me think every time I see Batman now, you're the first person that comes to mind. The TED Talks, definitely, we had discussions years ago on TED talks. What was the topic? What was the TED Talks you did on? What was the topics, I'm just curious?

Shyam Sundar Ramaswami:
So I did two TED talks. The one was about the digital life and how you have to safeguard yourself on that, but the second was more interesting because that gave a lot of shade and scope for cybersecurity that was actually titled, Can a Couch Potato Save the Digital World? That was my topic. So it spoke a lot about malware trends and how threat actors are operating. And it was also spoke about the part where the malware industry is going towards. You have SaaS as a service and PaaS, and SaaS, and IaaS, and then you have MaaS, right? Malware as a service. That's becoming more of an upstream and uptick of late in the last three years.

Joseph Carson:
Absolutely.

Shyam Sundar Ramaswami:
Yeah. I spoke a lot about that and some examples of Excel hiding, hiding some sheets, how macros operate, but thanks for bringing that point right here, because when I probably rewind myself two years or a year and a half to TED talk, we were talking about macros, but in the last four or five months I've seen a lot of files that don't have macros, but still are executing. So that's pretty, you would probably want to compare the before talk and the after part of it. Well, I was saying that dude that's a nice trend or where are the actors have improvised? Yeah.

Joseph Carson:
Absolutely. You're absolutely right. One of the things in the past couple of years where I've seen malware is that they used to be very multifunctional. They contained multiple components. They had downloaders, they would scrap credentials, they had exfiltration. Now, you're starting to see the much more targeted and specific, and then being embedded around multiple types of payloads. So attackers are using different components in order to do those specific tasks. We've seen it more on the Mesmer side, but absolutely even the malware that it's becoming a service. You've got people out there that rather than actually, used to have the ones who would create it would also be the same people who deployed it.

Joseph Carson:
Now, you've got affiliate services where those who are creating the malware are actually selling it basically as a service, either as basically subscription model or for royalties, if they're successful at getting it. So that means that we're starting to see very specialization, where somebody who their malware specializes in, just focus on instilling credentials. One focuses on financial, looking for credit card information, looking for personal data. What's your thoughts around the challenge that we have in specialization, specifically in malware?

Shyam Sundar Ramaswami:
What you say is 100% true, right? They were malwares in the past that were just used to steal credentials from the browsers, like TrickBot, and Ursnif and if you see those threat actors they used to focus only on banking Trojans, right? Now, you used to have some sort of, everything we fit into the micro-template today, right? But if you see the flow of, you get an email that's a mal span that drops a dock, and then that's going to do a bunch of X, Y, Z things in your computer. And if you see the end goal it's probably going to be, hey, you know what? This is going to be a Trojan that's going to just scout for passwords, or screen captures, or web cam stuff, blackmailing, but if you see in the last one and a half years it's become polymorphic.

Shyam Sundar Ramaswami:
So what I've observed about malware it's absolutely polymorphic. What I would bring to the table here today. If you see this C2C behavior from reverse engineer, it gives you just a 50% to 70% of a perception, right? Because your goal probably is to just reverse the samples, see the IOCs, the behaviors, and then push it. But I'm coming from a background of domain forensics, more of the DNA side of security. That's where you see these URLs and tons and tons of URLs. Four or five years back, I used to see at least thousand domains a day. I kind of came to a point when I see the URL and say, "Dude, this is what it's doing." So you get into the zone, right?

Shyam Sundar Ramaswami:
That's the hallmark of the C2C communication. What do you say is right. Infrastructure is being leased out is the right word to probably use here. It's being rented out. These co-hosting spaces like racks that they rent out for ISA and cloud, right? Malwares become like that. The infrastructure, the code is being rented in the dark web. And it's being really simple off where I've heard from people when I go to the conferences. I think we met again in black hat a couple of years back, if you remember. Yeah. So I heard someone saying that the panel, right? You have this panelized tracking of campaigns, it's so modernized, or you probably have to pay money and just tell which computer, which region to affect and boom there you go.

Shyam Sundar Ramaswami:
You can just drop the play role of your choice. So that's where that's evolved. So the answer to the question even though it's detailed, it's polymorphic. So it's become absolutely polymorphic, and you can say that APT33, or like some detractors who's just targeting other page for passwords and diploma data is only doing that. They can do based on the system, the geographical location, the season, the campaigns. They can drop a malware, they can drop a TrickBot, or ransomware is probably being followed by TrickBot of late. Yeah. That's the way that this trend's going now.

Joseph Carson:
Absolutely. And additional thing is that doing a lot of incident response and forensics, what I've seen as well is that a lot of the attacks. You still have the split between those which are opportunistic. They're just blast and hope for the best. They'll blast on emails, they'll blast on social media, weathering, SMS messages, just hoping people's going to click. And they don't have protection, and they'll run, but I've seen a lot of the attacks also, organized crime types of attacks where they're getting more people hands on keyboard. They're logging in, they're stealing credentials, and they're getting in. And what they're first of all doing is they're actually enumerating the environment to see what technology's running. And they might even do that in a passive sense. First of all do that by looking at what they see online and what's publicly available.

Joseph Carson:
And then they might get more into the active side where they're looking at the machines directly. Then they will decide what malware to use because they'll decide which one will have the best at being able to stay hidden, which one will be able to exfiltrate, which one will be able to stay undetected for longer periods of time. Even a lot of ransomware cases, what I find was in doing the investigation, that I would see that they deployed a specific variant to ransomer. But when I looked in the scripts I saw that they had 10, 20 different variations of ones that they could decide to use. They just chose the one that basically would not be detected by the types of security controls were put place. So any thoughts on rhyme were, that's definitely more of a marketplace type of malware where they'll choose the one that will have the best success.

Shyam Sundar Ramaswami:
What you say is 100% true, right? What I'm actually been observing in the past is the number of layered level of coding and layered level of functionalities in malware it specifically increased the last two years. Now, the amount of reconnaissance they do, pros they get in it's really, really the persistence mechanisms have really up the game to a level where, as you mentioned, right? They stay dormant for a lot of time and unlike more of the APT. And they have so many layers in it, right?

Shyam Sundar Ramaswami:
They look at the architecture, and if you see the scandal list of softwares they're running and computer first. And if you see the C2 traffic that goes back as, you know the bite code format that goes back to the attacker? Do you have... It's become like a telephone directory of late with so many options, right?

Shyam Sundar Ramaswami:
So like you turn on and on and on. They're like so many pages going on. So the layerisation or the multiple layers of off these deployments have tremendously increased. So, they're not in the build anymore. So the threat actors have, I always say this, right? You and I have the same information and so do they. So they have the same resource of the internet that we all look into, and now they've become multi fill and layer specific. So they have so many functionalities going in.

Shyam Sundar Ramaswami:
Earlier malware used to work in a way that it used to check for some set of a system configuration. If it's not probably working it cancels the C2 and said, dude, I'm not infecting it. Yeah. Now, it's become like the independence day mothership. And there's so many smaller ships coming in based on the C2 communication. And it's probably extremely becoming hard. And if you would want me to share something interesting I'll probably share about this multilayered malware concept here. So like eight months back or nine months back, we built a honey pot. It's like the cheesy honey pot everybody makes.

Joseph Carson:
We're all running one. Hoping that it captures everything.

Shyam Sundar Ramaswami:
Exactly. So we made something like really, really stupid. It was like with the HR page on that saying dude, log in. Was the most welcome home kind of a captions of passwords and that login. But you know what actually happened? We were part of a big botnet, which was like a WordPress hack. And we ended up having one of the converter malwares sample getting dropped in there. So why I'm bringing this part in here as biggest, the level of layering that went into reversing that sample was massive. I think it was packed with a bunch of features if only the person who developed it was a developer, the product would've made millions in the company. So they had so many features in that, right? So what we found was it was heavily persistent, where the code was inside the NTUSER. DAT file.

Shyam Sundar Ramaswami:
When it infects your system you probably need to get the NTUSER. DAT file to do some sort of registry forensics into the hives to find out what actually was the script or the call out that was actually happening. So then it had multi layers of power shells, Java script call outs, shell codes. And then dude, it was like opening a gift packet and then you had to use a lot of tools like Speakeasy, strings, encoded, Office-skated, tons of stuff. And it was also detecting VMs. Imagine one sample is able to do so many things.

Joseph Carson:
That's pretty impressive. Somebody who's went to the, it even saw not just like one person, but I entire, when you get into different code bases, but I tend to find this. You're either dealing with somebody who's a super architect who's been doing development for years or you're working with a team.

Shyam Sundar Ramaswami:
Exactly.

Joseph Carson:
Typically these days you're probably even finding a lot of code bases. It's likely to be a team behind it?

Shyam Sundar Ramaswami:
Exactly. And then I had a process hollow injection technique on top of it. Now, why we just bringing this point is imagine this was actually registered as a service. So many layers, so many functionalities. And the fallback mechanisms for this as layering is massive. Now, that's what probably answers your question, saying how multifold and how layered malwares have actually becoming. And things have gone beyond control where you just run it in a sandbox and you get the IOC. Well, I have a lot of stories where it's bypassed your sandbox. Yeah. Yeah. That's-

Joseph Carson:
Sometimes even just sleeping, they do nothing for long periods of time.

Shyam Sundar Ramaswami:
Exactly.

Joseph Carson:
Just to wait for a time out. One of my favorite ones last year that for me was interesting, because I've looked a lot in 2021s different variance of malware. Of course, you got the typical ones that's been around for a long time. The likes of Zeus. You've got Tesla. You've got EFNet. And the one that for me was cron job, which was interesting. Sorry. CronRAT. And that for me was interesting, but just because of course the obfuscation side of things where it actually put it into itself into a cron job to run on the 31st of February. A date that never existed, because it never existed you don't see it.

Joseph Carson:
It's hidden because that date just doesn't exist. And then even behind it the, that was a very interesting way of just staying hidden, and being able to execute by using the simple kind of issues within operating systems or within applications. But then we get into the actually script behind it, just like you said, it was so well written. So complex. They took a lot of time to make sure what they wanted to achieve was going to be successful.

Shyam Sundar Ramaswami:
True. True. And as we mentioned, right? Agent Tesla that probably rings a bell in my head was doing a lot of rounds in last year, on the year before that, because of the Equation Editor exploit. And most of the folks don't purchase genuine windows. Most of them had a word that actually had outdated Equation. Editor. And if you look at it there's no macro inside it. It just was a word document with just an equation in like a text form. It's gibberish, right? So people get perplexed when you run it dynamically then you see the equation edited through the ... get called. So that was pretty interesting when with like Asian Tesla went rampant on Equation Editor. And since you mentioned the RATs, where RATs have given super powers to the turtles, like the teenage mutant ninja turtles where the RATs have evolved, like Remcos did a lot rounds last year if you observe.

Shyam Sundar Ramaswami:
Remcos that was like super famous last year in 2021, where they used a lot of Google drive, URLs. You got an email then you get a Google drive URL, you click on it, you get exploited, but the pain point of Remcos last year was a normal analysis in a sandbox couldn't uncover all the IOCs. Which just mentioned the level of persistence, the dormancy of the malware was so massive you had to do memory forensics to rip the process out and look into the memory of the process to get the IOCs all like. Tons of porn stuff, URLs, banking stuff, man. We're like super threw you off guard when you that. Yeah.

Joseph Carson:
What techniques do you know, talking about that the cronRAT one that went into hiding itself within the cron job for the 31st of February, what other methods have you seen malware trying to stay hidden either on the system itself? Of course, the law was high within common operating system file names. So what they, within the colonel libraries, register themselves to services, they'll be hidden in the registry, what other interesting techniques have you seen malware trying to stay hidden?

Shyam Sundar Ramaswami:
The one that I was like more fascinated about is just sitting in the registry into the data files with the keys where they had JavaScript callouts there. So the PowerShell codes basically hidden in the registry as a key. That was one of the persistent mechanisms where they had to do a contamination of these partial scripts to call out, that's one. But apart from the fighting technique post exploitations, I would probably talk about the mall spam ones, right? I've seen only these bunch of the usual ones I've seen for the registry, the persistent methodologies, hiding inside the registries, living as part of a service and trying to look for anti, I've seen malware uninstalling antivirus softwares. Trying to do those things, but I probably want to cover about one interesting thing if you would let me talk about it.

Joseph Carson:
Absolutely. Go ahead.

Shyam Sundar Ramaswami:
It's about the template injection probably I want to talk about, this has been quite on the higher rise in the last year, right? Word documents use macros, the macros are like the box that opens and then a gesture comes and collapses hand. That's basically a macro. So each time when you open the document the gesture comes out. So, that's the way the macro works. Now, this is like a template of infection that usually happens, always with Word based documents. But what we strangely saw last year was, well, a lot of these non-macro attacks, which is pretty shocking, right? There's no macro into it, but you're still end up attacking it. So this actually started, I think it started with njRAT or some of these remote access Trojans, which started this trend. Word itself is basically a zipped format.

Shyam Sundar Ramaswami:
You can unzip over document and see the XML tree structure. Now, what I found is very interesting was I think in a month when I explored the emails and took the samples out of the attachments, I was constantly able to see 100 to 200 samples a day, where you would have a Word document, which is non-macros. It bypasses all your tools. So it's clean. It looks nice. It looked exactly like a document from an embassy. It looked perfect. Your email, had the perfect headers. It didn't come from a Gmail. It didn't come from a Hotmail or your sneaky email, or randomly donated emails. Everything was picture perfect. I'm not exaggerating. And when you go to the ... all 75 vendors said it was clean.

Joseph Carson:
Yeah. Would not detect it.

Shyam Sundar Ramaswami:
Okay. We're not detected. When I unzipped these Word documents and I saw there's something called web settings and under rails folder. So, that has something called its external keyboard. So the external is actually pointing to a cmd.lol, which was like minus level seven free service, a file sharing service. So, that was part of the campaign. So when you open the Word document it's going to run in the background saying it's downloading something, but it's not a macro. That was downloading payload. I saw a lot of these continuously for three months. So, that was one of the trends and I would call this as a persistence mechanism, but I would say this is the most sneakiest way to the entry mechanism, which acted persistence way of doing it. So this was one of the things I saw last year.

Joseph Carson:
We look in history and it's always been Office documents and PDFs. We're always the top payload delivery mechanisms. Is that still the case today? Are you seeing other new formats coming in to play or is it they're still doing those traditional hiding it within the macros, within doc files, or Spreadsheets, content within PDFs that you have to enable and activate once you execute it, are they still in those traditional pastors or new formats that they kind of moving into?

Shyam Sundar Ramaswami:
So there are a couple of new formats. See, these are still there because these are some traditions that needs to be maintain and it's like the primary form of it. That's because of the reach of such threat actors, right? An invoice through a document or like a receipt through a PDF is still the primary form of infection, which is accounts to 75% to 80% of the malware, because it can be easily sold to a receptionist, or the front desk person, or to anybody in the sales team that's the first way of doing it. It still exists. And I would say PDF is more, because PDF is a form of an Office document I would probably call it, which has got too many superpowers, to be honest though. Because it can embed a Word document inside, it can drop files, as the superpower it actually has. And above all it has all the infinity stones with it which is just a JavaScript inside it. It can just snap its fingers like Thanos does. It's got all the powers that it has, and yeah. That's a powerful form of...

Joseph Carson:
And if the user is running as a privileged user, then it's game over many cases.

Shyam Sundar Ramaswami:
And you have an early Christmas then, so you can't do anything in that. I just want to add a couple of things that I've been seeing is a lot of ISO attachments scanning through. So you see a lot of pdf.iso, ISOs making way, but the strange point is it's always targeted towards the Spanish and the Brazilian campaigns, and not in and around the US, or the UK, or in India. I see a lot of foreign language, which is basically European, Brazilian teamed, or some of these Spain, Portugal those are the countries are being targeted. So what I've seen so far, especially with the pdf.iso, I see a lot of them that way. The second of your attachment what we want to talk about is basically the Excel sheets. You have seen a lot of Word document and PDF malwares, but Excel is doing a lot of noise in the last six months, where you've heard of it.

Joseph Carson:
The one I remember you talking about was the hidden sheets.

Shyam Sundar Ramaswami:
Exactly.

Joseph Carson:
That was a really interesting discussion you had. So if you can share it for the audience a little bit about the methods that we're seeing in Excel, because Excel is a common format and it's very powerful in regards what it's capabilities. Share with the audience more about your findings, and the Excel, and hidden sheets?

Shyam Sundar Ramaswami:
Sure. Sure. So it was just a normal day looking into the Excel sheet we couldn't find much macros into it, but when I started reading a lot about Excel sheets I found out the internal structures of Excel could actually hide Excel sheets. So I was kind of so dumb that I couldn't unhide the Excel sheet, but when we probably sort of did a deep dive from an internal standpoint of an Excel sheet, Excel sheet has actually got three levels. It's like hide, very hidden, and you can probably unhide it. So hidden, very hidden and unhide basically. So what happens with these threat actors is, now, if I probably put a macro inside a sheet, your endpoint detection systems is going to catch it with signatures by keywords, like run Excel, PowerShell, and all of these things, right?

Shyam Sundar Ramaswami:
What these guys did was super smart. What they've done was brilliant. They had an Excel sheet that probably ran, technically speaking, three miles in length and breadth. It was like a huge Excel sheet. I keep scrolling and I look at my clock, I think I've lost years of my life after that. It's going on, and on, on, and what does the fun factor they have a, what they have done is they have basically put each of these keywords in separate, separate take, for example, is the Ex is there. And the C is another cell. They're calculating formulas for that.

Joseph Carson:
Even URLs. Putting together URLs can be based on that too. Yeah.

Shyam Sundar Ramaswami:
Exactly. So the URLs is put into bits and parts throughout the Excel sheet. So you have to probably go cell wise, it starts at A, and probably ends at zillion somewhere. So they couldn't catenate this. This is like a super technique. I was fascinated when I saw the Excel sheet. So they had the macro, sorry. They had the method to unhide the Excel sheet, its locate it. And then it source contaminating sheet wise and then it assembles. And end of the day it was just one line of code.

Joseph Carson:
Was it PowerShell code or some just?

Shyam Sundar Ramaswami:
Exactly. It was just the PowerShell code calling out a URL. That was huge, right? So that was one of the very interesting things I saw in the Excel, I actually spoke about that in the conference also I guess.

Joseph Carson:
Yes. It was one of my favorite topics. It was very interesting.

Shyam Sundar Ramaswami:
Thank you. Thank you. Now, the good news or like the bad news for the folks, but the good news for people like us, there's an add-on to this Excel, which is actually called an XLL. So Excel sheets has an add-on capability call it XLL. It's a third party plugin that's used by Excel to download or interact with third party applications. Now, what threat actors are doing with, especially with the ICEID Trojan's of late in the last seven months, I think from November or October, you get an email and the email here it's a DocuSign. And your traditional DocuSign.

Shyam Sundar Ramaswami:
And what actually happens is they are heavily abusing feed proxy, Google's feed proxy URLs. So they have a feed proxy URL, which you click on that downloads an Excel sheet, which says performance invoice for the year or whatever it is just depends on the region. And then actually drops an Excel sheet. The Excel sheet actually looks for an XLL plugin, which is basically an add-on it gets enabled that downloads the ICEID installer. So there like a pretty cool thing when actually saw. And what's the shocking part Joseph here? The XLL add-ons are both digitally signed and unsigned also. Just signed is pretty crazy, right? Yeah. That was the crazy part.

Joseph Carson:
Yeah. Once you get digitally signed that's always the concern because for me there's always an indication that, that's a reminder in the supply chain issues that we have is that there's things that we automatically trust and there's things that we don't trust. And in a lot of when you get into software updates, when you get into installations, and add-ons, and plug-ins of whatever it is we have the sense that in a Windows specific environment you tend to automatically trust those. And a lot of them do whatever they want on the system. And unfortunately we have to get into where we can't assume just because it's DocuSign meaning that's authentic and that there's not something hidden within it. In the supply chain we've seen a lot of malware where you can go back to solar winds.

Joseph Carson:
It was part of that whole, well, started as spicy then we're moving to what were software repository or basically cloud based storages where if they're not protecting it attackers can simply drop something in, hide it into those repositories. And then it's the software supply chain updates, which deploys it for them. They're getting into this is that they're getting very intelligent, very smart into how can I make the victims do as much work for them as possible, so they can focus on being successful, into the mile where development itself how they can actually do successful, and do it much more efficient? And they can pass a lot of that. And that's why we continue of course, that's why we see facing and social engineering continue to be one of the main delivery mechanisms, because the more we get humans to do what we want them to do, and manipulate them, and abuse their trust, the more successful criminals will be in this industry.

Shyam Sundar Ramaswami:
True. And the second thing I just read it somewhere is pretty bizarre, I want to share it here. The FDA actually reported a lot of cases where a lot of random USB drives were shipped to supply chain industries. Supply chain sectors in the last three months hoping that they would put a plug in, and this was like a holiday team attack that I was actually reading about it where somebody was saying that it was saying a gift for your Christmas and then they had the duck USB drives, right? The duck that you put in the bathtub.

Joseph Carson:
Rubber duckies. Yeah.

Shyam Sundar Ramaswami:
Rubber duckies. Those were there just shockingly bizarre. When you have a good infrastructure to carry out social engineering, you still have the traditional way of infecting people. And there were instances where in the atomic research stations, in the compounds, there were a lot of USB drives thrown inside. Especially in the nuclear power stations also. Yeah. That's pretty, yeah.

Joseph Carson:
Yeah. Some of those delivery mechanism for me, I've seen so many of these over the years. Even in getting into the bad USB, the cables, you can even put it within a charging cable. You can embed it with malware. Somebody just plugs in a cable to their device, it will pop up as basically as an interface, whether it being a keyboard or mouse so whatever it is. And then carry out automated actions in the background. And absolutely even to the point where if you're, by sending gifts even could be something simple like a charger, or it could be even an e-cigarette, or something that just has USB as the power source. Because many things today are charged through USB. They will come as USB charging devices.

Joseph Carson:
And I've seen to the point even e-cigarettes embedded with malware, the moment they're waiting for that to be rather than plugged into a wall socket, but plugged into a laptop. And then deploying the malware within. So some of those intelligent, they were going to continue using USB as a payload mechanism and sending it out as gifts. I've even seen more even at major events where USB devices that were being given out as basically gifts to people attending, and they were embedded with malware just waiting for those people to go and plug it in. And that's what's really important. I've said here, whole stack of data ports. So always sitting next to me that when I travel anywhere I'm always giving to people. So a bunch of the data ports, you plug it in and it makes sure that it's stuff the data going through.

Joseph Carson:
It's just good practice. Even I've seen in industries, in the shipping industry where we had a lot of we, one interesting case for me was in the shipping industry, where there was a captain of a ship. He was on the bridge. And one of the scenarios was that they were getting to nearshore. And that meant that rather than having to use the bridge communications to make calls they were getting to nearshore meaning that we were able to pick a 4G connections from the telcos, but unfortunately he wanted to tell his wife that he was going to be home soon. Like pulling in the port, I'll be home soon. And he had a mobile phone on the bridge. And unfortunately the battery was going flat. And rather than running back to his cabin to plug into the ball socket and get power, he basically looked around and said, "Well, there's a USB port here on the bridge. I'll just plug it directly in. I will charge my phone a little bit, so I can make that telephone call."

Joseph Carson:
And unfortunately there was a piece of malware sitting on his phone for one year waiting for that one moment, for the plugin. Completely wiped the navigational systems. So the actus navigation systems on the bridge, and in fact the systems of malware. They were just waiting for that one moment to happen, waiting for the plug-in it into a system with a USB port. And ultimately kind of going back one of the things was that all those devices they were using USBs to be updating those systems. To do the firmware updates, to do new installations and so forth. One of the solutions what they ended up doing was they went and they had to actually hard cut all the USB ports and those devices, just to make sure that those types of scenarios would not happen again in the future or it would be more difficult.

Joseph Carson:
So it's always the cases that sometimes, there's probably a lot of devices out there today that are still written and have malware hidden within waiting for those moments, waiting for people to plug it into the wrong device or the right device for the malware. So there's a lot of things. As you mentioned earlier that they have all these detection capabilities to understand it, but what system am I running on? In many cases used to be, am I a 32 bit 64 bit machines? Or again, run the right malware on the right platform, but today it's more about, am I on the right victim to execute as well?

Shyam Sundar Ramaswami:
True. And like how advanced these things are big, and they scout the entire system. Like the peripheral, the computer, the infected system. That's the APT part, right? They can stay in for a very long time especially in carbon sectors, embassies, diploma, passports, remember reading something like where this actually happened in this Azerbaijan. Azerbaijan was targeted specifically with these remote access Trojans, which only targeted diplomat passports. So those data was basically uploaded in the internet, that's one side of it. And the second thing that what you mentioned, right? Now, rise of these the ransomwares today is seriously a big alarm, because you know and I know that the world knows ransomware is just after your data and you have to transact in Bitcoins for it.

Shyam Sundar Ramaswami:
Now was the alarming factor that I've seen personally with a couple of people who got infected so I had some conversations with them is it's after the backups. So it's not after your data anymore, it's after your backups to be honest. That's the goal. See how they've evolved, right? They've evolved like massively to be honest. The lateral movement is super dangerous and the way that they're after your backups, if somebody settles for a simple, you would be knowing it better than anybody else. Most of the backups are in the same environment as the data.

Joseph Carson:
Same environment with the same credentials. Unfortunately. And their online backup thing. And that's one of the things I always struggle with is you need to have a good strategy when you're looking at this, is you need to have defense and depth. We talk about defense and depth as a repeat and repeating it, but you also have to have segmentation. A lot of the backup strategies for organizations is that they're really backing up against disaster recovery, hardware failure, data corruption, but a lot of cases doesn't actually factor in ransomware as a threat for those backup strategies. Because if you are using an online backup that's protecting against fault tolerance or it's a hardware failure, but when that ransomware runs it's going to encrypt both your production and your backup system, which means that you have nothing to recover with.

Joseph Carson:
That backup is online with the same credentials. And that for me, always frustrates me when I see those types of backup strategies, because it is not factoring in malware. It's not factoring in ransomware, or data exfiltration. It's only focused on that disaster recovery piece. And that really means that organizations really need to think about offline backups, or segregated backups, or differential backups. And also making sure you have different privileges and credentials for production versus a UAT or a backup environment. So segmentation is so critical in those environments. Couple questions for you, go ahead.

Shyam Sundar Ramaswami:
Yeah. I just want to make one point, because folks just make, they're more focused on the disaster management recovery part and they forget these hot sites and the cold sites part. And their only motive is to probably get the service up and running, like the runtime calculation per minute, per downtime, price that cost to the customer. They end up having the data very close to them and they want to have a recovery of that pretty fast. That cost them. That's where that way you brought a point, right? The backup should be in the cloud is one.

Shyam Sundar Ramaswami:
The second thing that you probably need to have is more of something called is the breach mentality. No one's doing, I don't think at least from my knowledge that I know the breach mentality should be implemented in every organization like a fire drill. So you are doing a fire drill every month to make sure the fires not going to happen, right? But you're going to say that, "Dude, this is the way that you probably go down and then this is how you have to do it." You rehearse every two months. Why don't companies start rehearsing a ransomware attack, you should rehearse your ransomware, right?

Joseph Carson:
Absolutely. That's one of the things that I've always been saying that there's, I did a talk not so long ago which was on a ransomware instant response. And one of the things I do is I make a differentiation between there's one thing of having instant response plan, but you also have to be instant response ready. And that means you had to repeatedly test it. And instant response in a ransomware scenario is not a security response. It's not an IT response, it's a business response. And therefore, it means that you have to actually incorporate all different aspects of the business. So it means that you have to make sure your HR teams involved, your financial teams involved, your sales marketing teams involved, because you want to make sure that you're actually going into business resiliency mode.

Joseph Carson:
And this is sometimes many organizations we approach it wrong. We think that these types of responses, and business recovery scenarios, and backup strategy plans, or as an IT are security team's responsibility. It might be their responsibility to implement and plan, but it's the business's responsibility to make sure they have a recovery scenario, and work with the IT and security teams to make sure they had the right strategy in place that is effective for the business. So you're absolutely right when you talk about fast recovery. Fast recovery doesn't always necessarily mean the best recovery, because I've seen even recovery strategies that, actually redeployed the malware back into the environment because the malware was actually in the backup. And recovering fast meant that, yes. We've recovered, but we're just redeploying the malware back into the environment. So it's an interesting kind of that it really needs to be well thought through and well planned

Shyam Sundar Ramaswami:
That's also depends on how detailed the runbook is probably return and the playbooks, the runbooks books, how effective or how detailed you are? And is rightly mentioned went for ran somewhere. The stakeholders is precisely the entire organization. It's just not a normal recovery activity or like a resilient activity that you do. A lot of things depend on a ransomware attack. And I feel personally this has to happen like a trend. Yep.

Joseph Carson:
One of the things I'd like to ask for the audience who's we're talking about a lot about ransomware, and malware threats, and some of the sophistication that's going into them today. And all of these new models of deliveries in deployment side of things for payloads, what kind of tips do you recommend that they do to reduce the risk from those? What can they do to make it more difficult for the attackers to be successful, especially when it comes to malware?

Shyam Sundar Ramaswami:
I would probably put a stronghold a scanning and the entry mechanisms of email. In the case there should be more parameters that needs to be looked into, today we can easily bypass the emails. If you see the email header, you have tons of stuff to easily bypass. So there should be a lot of stingent policies, calls. For example, you cannot have an emailer which is anonymous that hits your mailbox, right? That's the first point of a mal spam entering. So that needs to stop. So you need to have a protection where 60% of your problem is solved when you scan your emails properly. That's one thing, and the second thing is it would probably sound stupid, but I probably would still put this point. Most of these malware attacks occur because of clicking on a link or opening a Word document. So the user education is probably the only investment that you have to make as a company. Zero Trust is not your policy, it's your employee who should not do that.

Joseph Carson:
Yeah. Myself and my, was it duplicate my clone, Dave Lewis. We had on a few episodes ago when we were talking about Zero Trust. And one thing is we had a long discussion, and for the audience definitely go back and listen to the episode on the Zero Trust talk with Dave Lewis. It was a fun discussion. And one things we got into is that Zero Trust, it's not a software implement. It's a practice. It's about how you practice security in your organization, and how people do things? It's a mindset in how you operate your business, which is one of the best terms I heard.

Joseph Carson:
So you're absolutely right, that it gets into is that it's about making sure that people understand about, should I do this or should not do it? And if I do it what's the potential consequences. And am I running as a local minister in the system? And if I click on something it's going to have those privileges as well, or should I actually potentially run this as a lower privileged user that will prevent it from being able to, such as you open up a PDF file. Do you want to run it as a domain admin or just as a standard user? Because the impact of that will be huge if it is malicious

Shyam Sundar Ramaswami:
True. True. Yeah. So like the rate at which, now, we have advanced AI/ML detections, you have all the data. And if you see most of these small spam emails, it's just a record of keywords if you see urgent, invoice, congratulations, if you see it's only two emotions. It's either fear, but it's just happiness. So you have to control the emotions.

Joseph Carson:
One of my favorite facing scams of all time, it was quite a few years ago now, which was speeding tickets. Because your point you want to play on people's emotions. That's what it's doing. And it's also, when you send those fishing emails it was also important. So speeding tickets that was part of this fishing scam was sent at 5:30 PM Friday evening. Especially when people's left the office, they get these emails and they're like, "Oh." All of a sudden it plays on fear of doing something illegal, fear of being fined financially, fear if they don't respond in time that it could actually double or get more costly. So a lot of those, Shyam you're absolutely right, urgent this needs to be done immediately, ASAP. It plays in people's fears or it's the reverse. It's like you've won something, congratulations. In order to get this reward you need to go here and complete it. When you see things as playing on your emotions you should always, always second question it, whether it's real or not.

Shyam Sundar Ramaswami:
Yeah. True. And then if you would probably want to add one point, right? Was most of these mails, spams that have been targeted is towards this shipping and the supply chain industry, if you observe. It's most of them, this is shipping code, invoice, listing product listing, and it's very easy to make them click on something. And if you observe the medium scale business is always targeted the more rather than the big fives or the big fishes. I would say that you have to have a stringent rules on the incoming emails that's your starting problem. And second is more of where companies would probably start to focus on the actual Zero Trust, right? No process should be trusted. And I think Windows 10 is probably come up with a lot of these, you have to get to a point where probably when you see a process that's misbehaving, you have to probably quarantine the process, put it inside like a sandbox itself and execute it. Tons stuff. We can go on and on, on that. Yeah.

Joseph Carson:
Absolutely. Prevent it from launching any child processes as well. Some of those things, because that's a common way of persistence to moving around. And you absolutely right supply chain, I have my sandboxes running, I've got my high posts running and I see a lot. And your package is waiting at customs. You just need to go here and release it from custom. I've seen a lot around things like even COVID tests, that you've got COVID test waiting to be seen. Go and see whether you, and this is just playing on people's emotions, and really the environment arises because of course as the pandemics forces everyone to work from home or remotely supply chain and order delivery can go the shops as often. So you're getting delivered to your home. So attackers will take advantage of all of those scenarios. Any predictions, anything that you think that we're seeing the path and direction where could malware go this year? What changes might we see?

Shyam Sundar Ramaswami:
I think malware would go a lot towards the operating systems and films. It would target a lot of Android based devices. This is my gut failing this year, because the pandemic is probably getting extended. A lot of these apps and work from homes is probably happening from, the phone could be targeted the most is what I would feel. And second thing I would be probably very worried about these non-conventional methods are probably going to increase without the less macros not much of macros. And the additional places or like the non observed parts of a Word document or places is where the threats are probably going to stay and be persistent. You would still see the same old Emotet trick working. That's going to be one side of the coin, but you'll see a lot of these mutations of the same. You are probably going to see a Word document dropping a macro, but there's something going to be an extra layer inside.

Shyam Sundar Ramaswami:
It could be an Office station layer or multiple encryptions. And I also personally feel that there would be a heavy RC4 encryption inside the code to do a C4 communication, which could be pretty hard to spot. Yeah. It's going to be a mashup is what I would feel. The ransomware features, the TrickBot features with those lock bot features, all of that are probably going to get mashed up is what I feel. 2022 and 2023, probably going to be a big mashup with these things is what I personally feel, because I'm starting to see those stencil already.

Joseph Carson:
Yeah. I think the cyber criminals in malware creators are sharing a lot of code. I'm pretty sure, and technic methods. So they're exchanging different features with each other and making these super malwares where comes with a lot of nasty capabilities. And absolutely, I think for me, I think the phone's going to be more for me, definitely the phones are going to be targeted, but I strongly believe there's going to be more of a not the tar, it'll be the secondary victim as a means of redeploying so that it may not be the initial target. I think it'll be worse basically a bit dormant on this phones. Just like I mentioned earlier with the captain of the ship. It'll be dormant on the phone until they connect it to their work laptop and then, or they bring it back into the office.

Joseph Carson:
When people slowly move back to working in an office they'll go back in, plug it in and the phone it'll be sitting there waiting for it to be deployed elsewhere in the network. And you're absolutely right. Alsofication, staying hidden I think one of the things I've seen is attackers are more living off the land. They want to stay with hidden traditional communication methods. You might be looking at something that might look like somebody streaming music, but in fact actually that hidden audio is actually extracting data.

Shyam Sundar Ramaswami:
Yeah. Well, I wanted to come to that point actually for this stechography part. Stechography is going to be on the rise because we see a lot of these JPEG C2 pics being sent out last year. So they had the passwords, phone numbers sent out as far of C2 as pictures. And you rightly mentioned like the audios playing or the movie could be playing, but split could probably be shipping out all your data.

Joseph Carson:
Absolutely. Yeah. If you're looking at network, you see a lot of audio streaming, movie streaming, people's watching things, weathering, Netflix, or Prime, or something and they're using their devices to do that simply through web browser, but hiding within that traffic makes it very difficult for us to detect. And that becomes a massive challenge when you see those types of authentication.

Shyam Sundar Ramaswami:
Especially when you download these Netflix shows for free that's when it's probably going to up the game. Especially, I haven't seen the subtitle files misbehaving in a while. The authority files I assume that's probably going to misbehave the next two years.

Joseph Carson:
Yeah. I've seen playlists been actually abused as well. We've seen the subtitles, the caption files and stuff like transcripts, the metadata, even the files within the metadata itself been contained, this description containing code. It's taking the next level where you talked about earlier in the XML. Not the XML, the Spreadsheet containing it. Different parts within Spreadsheets. I think definitely we're seeing a lot more of that within other types of file formats. So it's been a pleasure having you on the show, any final messages for the audience? Where can they find you? How can they sign up? How can they follow you? What things would you like, the final words for the audience?

Shyam Sundar Ramaswami:
You just have to flash the bat signal to find me. That's why. You can find me in LinkedIn. I'm there on LinkedIn. And my Twitter tag is actually hackerbat. You can find me there. So you can sign up for conferences. I would love to do workshops, talks I'm you're a man. So anything related to malware, forensic, cybersecurity call me, I'm very passionate to do a talk for you or have a chat with you. Final thoughts, be safe guys. It's been a pandemic. Stay safe. Don't go out until it's necessary and wear a mask always. Also, think before clicking on any that you get in email. So you sanitize your hands, and your emails, or your clicks too. So either way stay safe.

Joseph Carson:
Yeah. Yes. Absolutely important words and absolutely for the audience stay safe. Until we're ready to socialize again let's make sure we keep the world a safer place, both in person and online. Shyam it's been a pleasure having you on the show, really looking forward. The links to the books and your links to yourself will make sure they're available in Showmax. For the audience it's been a pleasure as always, this show keeps getting better and better. And we're really excited with the statistics right now with thousands and thousands of listeners on this episodes. So for the audience this is, we're only successful with you. And the more you listen, the more you share it with your colleagues and friends and others that's what makes this successful.

Joseph Carson:
We're here to make sure that you stay educated, thought leadership, bring amazing guests on the show to make sure that we keep you in the know. So again, many thanks for the audience for listening. And we look forward to sharing more exciting episodes in the future. So stay tuned every two weeks and go back and listen to previous episodes. As I mentioned, we had the Zero Trust one not so long ago, go back and listen to some of the previous episodes. Hacking gamification is also a great show. Go back and listen to previous episodes. You'll definitely get a lot of value. So thank you. Stay safe. Take care and talk to you soon.