PlasmaRat: why use shitty malware?

     I wanted to discuss some issues I find in the realm of choosing malware and why its perfectly fine to use bad software once in a while. In this, I will detail a plan of action to leverage multiple sets of well known/easily detected malware for various purposes. So lets begin with a soft story. You people love story time right? In this story a threat actor, before they become a studied attack profile by major organizations, was just a young nooblet looking to see what they could do. While developing their plans and their chess game, they found tools. Now, immediately you're probably thinking script kiddie and fundamentally you'd be right. These people used what was available to them rather than learning what it took to do it themselves. Eventually, the habbits and traits learned by doing this turned into an actionable plan and money was made. When money was made, people stop trying to perfect an art and start looking to more free answers. Instead, our protagonist decides he will learn to do more. This, a crucial turning point, is what makes the difference. He stops doing shit jobs that pay 100% with shitty risks and using other people's code, and turns to developing his own attack strategy. This is where our story of WHY comes into play.

    The point in our story where we stopped to explain is the same situation where many people may have an issue with others using other people's code. But lets think about this, both as a business and as an art. Lets try to define why people would want to do this.

     First for the business side. If your business relies on stealing data for profit setting up a botnet to leverage when stealing money, or if your business relies on disassociation from you as a person versus you as an actor; for all of these traits one thing is true, if you go to jail or have anything happen, you have to rebuild to come back. So, as a plan of action, you need your business capable of withstanding the test and trials of time and courts. To be frank, you need your operations to continue without you present. Now, many people do this by spinning bot after bot to control subsections of bots, other people do this by assigning people to various places and having each of them act as a burnable resource. But if you're using your own code every time, especially if your business is more than just yourself (orgs/syndication/mobs/militia/whatever), you can't really afford that sort of downtime. So you're going to want to hide your code for post infection, lessen the chance of detecting of your group and increase the detection of popular malware. Why? The more they detect it the more you can see who has the money to stop you. Some big businesses detecting some cheap rat you pulled out of your ass for $20 is a significant win for them according to them, but it's also a win for you. Because you know their detection capabilities. You know it either launched, failed, got stopped before calling back. You know this because you pay attention.  So your next move, could be to slowly try other rats to see what doesn't detect, try other droppers, see what happens. Slow moves at no cost are only an expense of time. If you can spend the time to do things right, your business will profit from it. Furthermore, accepting an 80% gain or 80% loss should be defined in your business. you spent $20 to get a rat, and get $40 in return from an expected $400. You need to accept it and move forward. yes that's a loss you may not have been wanting, but it wasn't a complete loss so pick up your shit and move along. You have 20 people working for you, each of 10 of them is tasked with getting $300/month from this. You get 7 of them getting $150 each. They keep less of the money because they performed worse, but the company still has funds so it works out. Well, if it's only 20 people, and 10 of them spent a full month failing to get $300, then you still need a way to feed them and the other 10. Businesses, like families, have to be ran with care. The more people you have, the more mouths need to be fed. For them, for their families. So instead of putting half your staff on getting less than expected, or pushing them to make more, you can split it up. Have your highest performing 3 of that 7 that actually got anything, set to make as much as they can doing this. Then you send another 2 to find new resources to back up those 3. Then you send another 5, split into two groups, to hunt new targets and pick off the easy fruit before handing it over to those higher performing folks. Now you have 3 people making $4k/m a piece. Now this leaves the entire group with about $600 assuming performance stays up to par. That's not good enough for min wage. You need to raise this up a bit more. If you split your entire staff into two sections of 10 doing the same thing you will get everyone about $1200/m but is that really enough? What if someone fails or gets sick? Instead, setup a single trainer, and a manager/lead. then, you may have 5 people making 4k/m, 2 business function positions, 5 people looking for new venues, and 2 looking for resources for the 5 making money. total utilization of work force, what? 14 of 20 people. gets everyone about 1k/m, but the benefit there is there is continuity. You don't need the higher pay if you have a functional continuity. If you have even two people not utilized for daily counts, everything they do is profit. These are your adhd kids, your scientists, your researchers. These leftovers should be the ones able to do the other jobs but have fun doing all sorts of shit. Because that's how businesses work. 20 people, set job schedules, steady life, and everyone earns their part. If they need more, there is two ways to get it, from the boss or from working for everyone. This idea, almost communistic, works for smaller companies. If you expand too much, you need to have a commune/tribe of leaders that handle this, then inside their ranks have them handle whatever way is best for their people. But at a large functional position, you need your company to work like this. Which is why you need the resources to be minimal. Every free rat that comes out, make those guys looking for helpful resources go and try them out, write a manual about them, then ship the generator and the manual up stream. In some environments, just ship them a new vm snapshot to include a running version of it with listening ports defined. Let the users of those handle how they get the network to those vms and hopefully your people are smart enough to handle this task.

Now, from an art side. As an artist, you may look into finding new ways to do the same things, or to leverage someone else's ideas to make them your own. This does go well with common hacking philosophy so it's not really that much of a variance that artists indulge in hacking. But it's usually those ones who make it their primary art that are so fun and full of joy. Still, with so many deviance, it's harder to define a sub-classification for the art. Their art may be in managing a large complex structure of loosely integrated systems. Their art may be in defining code that uses other code to build code from. These are things you need to ask yourself when asking if they are artists or script kiddies. Using another tool, or 1,000 other tools, but then you fail to see the artistry in what they do because you think they're useless because they used other tools. See a problem there?

Now, additional/honorable mentions that are worth noting. On the business side, you should probably dedicate at least two people to monitoring/maintenance of botnets/structures/services/etc... a botnet admin is essential if you want each botnet to live. Further, don't rely on just one network structure. Make multiple, build them, maintain them as you build more, segregate and either drop or rebuild the old ones. you may have a large amount of cash flowing, or be desperate for cash, but on either side of that criminal activities need to be kept separated from your desires and left to the business. If your business is around artists, then you need the business to support their own activities which then also aids in disassociating yourself from the easily recognized habitual patterns of your workers. Same too, on the art side, when you work with others you must understand it's not about you. you are being allowed to work with a group to provide for the group. You are not special here, you are one of everyone here. Instead, to maintain your character and your artisan, remember that it's not about you when you're working, but the things you do for you will help everyone in your work. Like custom designs, pushing the limits or perceptions of common protocols and behaviors. That is your place as an artist in a group setting, specifically when it's involved in criminal hacking. As well, many businesses use rats that are easy to detect (like plasmarat, which holds its own name in every proper generation), if you want to lower detection you simply pop those sorts of data with new/generated data and magically you go from 30 second detection to 30 day detection. Or, on the other side, you spread it thin enough so the detection rate versus collection rate, is along the lines of 80:20, and you've still got 20% of a proposed attempt at a botnet. For the ease of finding emails and chats and everything else as methods of launching, if 20% isn't good enough for your, then you're in the wrong damn business.

So, as we dive back into our story telling, this young man knows how to find common rats and common tools to get the money to keep everyone running together. He also knows how to identify traits and behaviors of other people in the game because he's had to separate himself from the game. So, where do we put him in a business? Do we leave him as an artist? can we profit from him?

So you ask yourself why people want to use shitty malware, the answer is simple: as leverage. Not as something fancy, not as something to take pride in. No, instead it's something to move forward. A tool, or capability.

No comments:

Post a Comment

New wordpress site. yes, seriously

 So, I made myself a little wordpress site over (http://hello.0daz.io/see-also/). It's running on docker, with goreplay setup to propaga...