How Hackers

Plan Their Attacks

To protect yourself from them, you must understand them
The mind of a hacker
My name is Hacker Jack. That’s not my
real name, but it’s the name I use when
I work. I visit enterprise networks all day
long. Sometimes, in the middle of the
night. I get a big thrill out of defeating
your cyber defenses. You will never find
me.
There could be a million of us by now.
More are joining our ranks every day.
A lot of us are making money at this
game of attacking your networks and
endpoints, and stealing your data
or disrupting your operations until
you pay up. Others simply enjoy the
excitement of disrupting your world.
Causing mayhem can be so much fun.
2
Some of us work inside your company
and have access to credentials,
passwords and confidential data. We
might work for one of your competitors
and we’re busy looking for your
product and financial data as well as
your business plans.
But I am a soloist. A ransomware
wizard. I use my knowledge and the
extraordinary tools of my trade to
make money – lots of it. By demanding
payment in cryptocurrency, I can
keep out of sight while you make me
wealthy.
I have you in my sights
I am not new at this. It takes me just a
little time to prepare my attack. I like to
check out the territory before I decide
where to strike. So little time, so much
opportunity.
My targets are stagnant. The networks
just sit there waiting to be assaulted.
The so-called state of the art in cyber
defense is really backwards. You wait
until I enter your space and only then
do you try to discover me and my
“wares”. Hey, I’m already in before you
even get started!
It’s a cat-and-mouse game. All day, my
comrades and I study the latest cyber
defense methods. Then, we work on
solutions that defeat them. When you
catch onto what we are doing, we catch
onto your new defense and keep a
step ahead.
3
What attracts my attention? How do I
decide when it’s your turn?
I love easy-to-penetrate endpoints.
They are often connected to the
Internet 24/7, even when nobody
is working on them. I can take my
time to see what kinds of security
mechanisms they have installed. Even
when somebody is there, I can usually
go about my business without them
knowing. Once I have access to one
endpoint, it becomes quite easy to
jump to another.
My favorite activity is tricking users
into helping me penetrate their own
endpoints. I love that! It’s easy and very
rewarding.
Your data for a ransom
There are all sorts of hackers and we all I can just look around the Dark Web
have our own reasons for doing what and find something innovative, learn
we do. it, work my magic and adapt it to my
needs.
I am a ransomware specialist. One of
the best. Hackers who go for ransom Now, I want to make another bundle of
are the biggest risk-takers in the money. Whom should I target and how
business. We’re not only breaking shall I trick them into helping me?
the law, we’re also disrupting your
Why do people rob banks? Because
operation – and in a big way. But that
that’s where the money is! My ideal
payoff!
targets are people who will pay up.
Alternatively, I could target Organizations have more to lose than
organizations for their sensitive data individuals, so I go after those. I aim
and blackmail them. Or I could write a my weapons far and wide until I find
banker trojan to steal money from bank an unsuspecting innocent user at an
accounts. Either way works for me. I enterprise whom I can sucker into
especially like the thrill of encrypting helping me gain a foothold.
critical data and imagining the look on
their faces when they discover their
sorry situation.
I don’t need to create my attacks from
scratch since there are so many sources
for working code. My colleagues and
I collaborate on the tricks of our trade.

4
An attack like a five-stage rocket
I proceed toward my nefarious goal in discrete stages:

1 4
Planning. I decide what kind of attack I will do
this time and how I will go about it. I am the
wizard of ransomware, so that’s the way I play. C2. I set up a Command & Control (C2) Center,
My colleagues have their own methods and go just a fancy name for my server that I use to
to great lengths to plan the perfect operation. I’ll enable the whole exercise.
describe my plans to you a little later in each of
the stages.

2 5
Dropper. I borrow or create a dropper – a simple
piece of code that I brilliantly disguise, tricking Execution! This is the exciting part. I can’t begin
you to place it on your own computer. When run, to describe the utter ecstasy when the money
the dropper will install the payload onto your comes rolling in and the international media are
computer. It’s usually concealed in an innocent full of stories about my exploit.
looking file so you don’t even know it’s there.

3
Payload. I create or modify a high-precision piece
of innovative malware and hide it somewhere in
cyberspace. It’s poised to cause your company
great damage upon my command.

5
A dropperful of sugar
makes the medicine go down
I am going to start by creating the
dropper, the attack element that
penetrates your computer. The
dropper lies low until you open the
host file, and then, pow!, it delivers and
executes the malware payload.
I could send you the malware directly,
so why do I bother with a dropper?
My dropper is lightweight and
camouflaged in a file that you would
be intrigued to open. It could look like
a calendar invitation, a purchase order
or a CV from a friend. Click on an email
attachment and, presto!, my dropper
is stealthily sitting on your drive. Your
cyber software is unlikely to find it.
The dropper’s job is to run the code
that fetches the payload. I can do that
6
in several ways by:
 Coming up with a new vulnerability, welcome sign. That's how the
a Zero Day, exploiting a bug in
the application (Microsoft Word
in this case) that I can manipulate
to run my own code. This is VERY
difficult and time-consuming. I can
purchase such a vulnerability, but
that will be very expensive (could
be millions of dollars). It will be
discovered quickly and the cyber
security companies will provide
patches for it right away. I don’t ever
do this.
 Using a known vulnerability, an
N-Day, and exploiting the fact
that many organizations tend not
to deploy patches so often, so it
might still be effective. Unpatched
vulnerabilities are like a big
Equifax data breach made a slam
dunk. Those credit records are still
echoing across the Dark Web.
 Writing a malicious VBA macro, a
scripting language for MS-Office
files, to hide my true intentions.
I like the second option of abusing a
known vulnerability. It’s cheap and easy
and will work in enough cases to make
me wealthy (many IT departments don’t
keep up with security patches). I will just
get hold of an exploit kit that can be easily
found online, make some modifications
to get it ready, and bitcoins, here we
come!
Dropper is ready!
I just dropped in
Now, I have to get my dropper onto  Use other collaboration channels  Place my dropper somewhere  Follow the lead of several of my
your computer. I can: like Instant Messaging (IM) and on the web. I’ll give it a name that friends who give your employees
cloud storage. This method is makes you feel comfortable. I’ll bet a free flash disk with some cool
 Use email, by far, the most common
relatively new but becoming hundreds – maybe thousands – of software. Shove that into your
delivery method. Tried and true
popular. Guess what? They are even you will click and, in so doing, will USB port and I’ve got you! But
and frequently successful, this is my
less protected than emails. Nice. download my dropper. that requires physical media and
fave.
financial outlay – not my style.

Cloud
Drives

Email Instant
Messaging

Files
URL/
Web Content

7
You’ve got mail
My usual modus operandi is email. It’s
ubiquitous. It’s anonymous. I can spoof
my address and send thousands of
emails from anywhere. In fact, 96% of
attacks are delivered this way. Email
isn’t going away, so I will be able to
keep using it again and again.
I would like to mass-distribute my
dropper to hundreds of thousands
of people. It’s easy to obtain volumes
of bona fide email addresses. Lists
abound and they’re virtually free to
obtain. I can download 100,000 in a
few seconds.
Now, equipped with your email
addresses, I have to implement a
method for making sure enough of
you see the emails I am going to send
your way. I just need to overcome a few
obstacles.
Anonymity for mass-emailing is not that
easy. Sending attachments from free
email vendors like Gmail and Yahoo
8
requires validation (e.g., verification of I really like these lists of accounts
phone number and behavior analytics because they also let me get into more
that validate the veracity of mass email accounts and send to their contacts.
traffic). I don’t want that. People are more likely to trust emails
that come from someone they know.
If I send the same email to hundreds
of thousands of recipients, it will To remain untraceable, I also need to
surely be flagged as spam, reducing be super-careful to use different IPs
my conversion rates. So, I need a and hacked routers. Not a big problem.
variety of outgoing mailboxes. I Plenty of those around.
return to the Dark Web and find a
list of email addresses that my fellow
hackers have obtained during their
successful careers. Previously hacked
email addresses and passwords and
personal identifiers are perfect for
higher credibility and diversity and they
make it harder for spam filters to catch.
96%
of attacks are via email
We are becoming attached
Because most people trust MS-Word
files without hesitation, I hide my
dropper in a docx file attachment to
my email. I give it a catchy name that
people like to click on. I will call it “CV”
because studies show that people tend
to open CVs even from contacts that
they don’t know personally. “CV” will
be the attachment to my email.
9
So, here it goes. 100,000 emails on
their way. The law of averages means
that some significant number of
recipients are going to click on the
attachment. Even if it’s only 1%, that’s
1,000 “conversions” – computers that
my dropper can infect.
Did you get one of my emails? Just
click on the attachment and…
Under the radar
Your computer is probably protected The average dwell time – the time
by a goodly number of cybersecurity that exploits remain under the radar
measure like anti-virus software (AVs). – is a full six months. Once my stuff
infects your computer, it can remain
I have to make sure that once the
undetected for a very long time.
dropper shows up in your email, it
won’t be detected by the AVs or other So, I have successfully delivered my
cybersecurity solutions before you dropper onto your computer.
click on the attachment. This part itself
is very challenging as there are many One click and you activate
AVs out there, there are many versions my payload.
of the application that I want to exploit,
and there are many versions of popular
operating systems. I need to check as
many such versions of everything as
possible to make sure my dropper will
not be flagged as malicious.
It’s painstaking work, but I am
experienced and very good at it.

10
Anatomy of malware
What’s this payload all about? It’s the
ransomware, the essence of my attack.
Creating such malware is a true art
form. Effective malware consists
of many parts, each with its own
complexity and sophistication. I have to
take into account many key issues:

 Evading AV Signatures
Regardless of any action the AVs
might take, my malware’s execution
must be undetectable, at least
for a minimum amount of time.
Sometimes, AVs proactively stop
actions that they determine to be
malicious; I must make sure that
no AV stops the execution of my
pretty payload of ransomware
until it completes its task of
encrypting data on the computer.
Therefore, I have to hide all external
communications, file accesses and
other tip-offs from the AVs.

11
Anatomy of malware
 Running in Stealth
I don’t want the human user to
notice anything unusual running on
the computer. I must make sure that
the malware doesn’t consume too
much compute. My sophisticated
malware will be injected into a
legitimate process. Since injection is
the method used by many hackers,
AVs are built to detect most of the
known injection methods. So, this
is a delicate and intricate task. Kids,
I am a professional. Don’t try this at
home!
12
 Encryption Strategies
My malware is designed to encrypt
as much data as possible before
the user senses that something
is wrong. Should it start from
encrypting the most important data
so as to ensure that the user will pay
the ransom? Or maybe it should
start from the least significant data
to keep under the radar for as long
as possible? These are questions
that I have to address and decide
about my strategy.
 Risk Mitigation
Every cybersecurity solution is on
the lookout for ransomware. It’s
going to be detected very quickly.
There is a very short window of
time until AVs detect my dropper
once it goes into execution and my
malware payload, and they will kill it
before it can execute. Therefore, to
buy precious seconds, I must create
numerous variations of the dropper
and payload that will fool the AVs
for at least a little while.
 Spreading Across the Network
I want my malware to reach as
many computers in the network
as possible. WannaCry spread
so quickly and widely by using a
vulnerability that was published
by the NSA. Finding a great
vulnerability or using one that
was recently published but for
which updates have not yet been
implemented is the holy grail of
professional hackers like me. I study
this day and night.
The malware has left the building
When the time comes, I want my more difficult than from a hacked
dropper to be able to fetch the website (one ‘delete’ and it’s gone),
malware without suspicion. I don’t want so I decide to hide it inside an image
the malware on my own computer posted in Twitter. In fact, I might hide it
because people will find me. in several images – whatever it takes to
buy time.
I need to store my malware payload
somewhere in cyberspace: hosted on
a hacked website (the website owner
doesn’t even know that it was hacked),
stored on PasteBin or even hidden in
a Twitter image. The possibilities are
endless, but the selection is critical to
success.
I know that once one company learns
about my malware, the word will
spread and everybody will try to find
and remove my “gift” before people
have a chance to reward my work.
I know that making them delete
something from Twitter will be much

13
The rise of the machines
One more component is needed
before I execute the heist.
I have created a Command and Control
(C2) Center far away from your reach.
My C2 can use cloud-based services,
such as webmail and file-sharing
services, to blend in with normal traffic
and avoid detection.
If my malware payload is designed to
extract data, it delivers it to the C2. But
in this case, my malware is going to
encrypt the files on your computer until
you pay the ransom. So, my C2 stores
the encryption keys.
I practice with my mini-C2 in my own
“lab” many times to make sure I get
everything right. And when I do, a
mischievous smile comes over my face.
I am ready.

14
Plan your execution,
execute your plan
My ransomware is threatened by AVs, When all goes well, you and many
firewalls and Intrusion Prevention others will click on the droppers that
Systems that will eventually detect it. will summon the malware that will
My game is about accomplishing as encrypt your files. Your computer
much encryption on as many machines screens will freeze up with my message
as possible before detection. in very bold red, alerting you to your
sorry situation – your computer files
I have carefully executed all stages:
are encrypted and if you want them
 Planned the attack back, you will have to pay a ransom in
 Created a great dropper and impossible-to-trace cryptocurrency.
placed it on your and thousands of Your screens will display simple-to-
other computers follow instructions so you can do that
quickly. (I like “quickly”.)
 Created a potent malware payload
and found a good place to store it Some hackers leave you in the lurch.
I have my ethics. When you pay, you
 Equipped my C2 with the are delivered the key for file decryption
encryption key and life goes on.
Let the games begin! I thank you for your contribution.

15
BitDam brings a pioneering approach
to protection against malware.
Its cloud-based Advanced Threat
Protection (ATP) blocks content-
borne attacks delivered via email,
cloud storage, and Instant Messaging,
empowering organizations to
collaborate safely.
How?
BitDam learns the normal code-level
executions of business applications
such as MS-Word and Acrobat Reader.
Based on this whitelist, BitDam
determines whether a given file or URL
is malicious or not, regardless of the
specific malware it may contain.
See it with your own eyes
Check - Online PenTest
Scan a file - Get BitDam’s verdict
Free trial - Office 365 users
Inquiries - Contact us
www.bitdam.com

While current cybersecurity solutions The proof is in the pudding

are based on knowledge of previous
attacks, limiting their ability to detect
unknown threats, BitDam’s attack-
agnostic technology provides
remarkably higher protection from first
sight.
BitDam shows x10 detection rates
compared to the industry standard
and is used by leading organizations
worldwide to block threats that
otherwise go undetected.
Customer story - The City of Las Vegas

16