Blog Post

Detecting Crypto Currency Theft Hidden Within Encrypted Browser Traffic

Awake Security recently uncovered a new attack that used the cover of normal encrypted browser traffic to perform crypto currency theft. In addition to the use of encryption, the attack which began with a phishing lure was able to evade detection by leveraging popular high reputation domains for command and control. This allowed the adversary to bypass the victim’s security controls including email security solutions, the web proxy, next generation firewall and endpoint detection and response. While the end goal of the attack in this particular case focused on crypto theft, we assess with high confidence that this same mechanism is being used for other nefarious purposes including data theft. In fact, the use of these tactics, techniques and procedures by multiple threat actors further complicates detection and attribution.

A Quick Primer

  • Cryptocurrency, such as Bitcoin, Monero and many others, are an electronic form of currency that is a popular online alternative to government backed currencies. It is possible to use cryptocurrency anonymously and its design makes it immune to some of the drawbacks of traditional “physical” cash, such as relying on central banks.
  • While the security of cryptocurrencies is often listed as one of its appeals, it is not immune to good ol’ fashion theft, with up to $9 million lost each day and $4.26 billion in the first half of 2019 to cryptocurrency scams. Many of these scams are simple phishing attacks, such as those that resulted in the arrest of two Israeli brothers for theft of over $100 million dollars.
  • Pastebin is a website where anyone can paste content and receive a link to share that content. Pastebin is often not blocked by security appliances. This makes it attractive to attackers to use it to host malicious code and command and control instructions. . This mechanism of circumventing security controls is seen with a variety of malware families including RevengeRAT and the Watchbog cryptomining botnet. It is also used by several threat actors such as “Gaza Iceberg”.
  • Encrypted traffic poses a challenge for analysts in security operation centers (SOC). Unlike plaintext traffic such as HTTP, Telnet, and SMB, the SOC will not receive alerts based on what the traffic is actually doing since that information is hidden. It is also not possible without decryption for an analyst to perform threat hunting or a manual eyes-on analysis of the traffic to determine whether or not it is malicious. Fortunately, there are still methods that can be used to detect malicious traffic even when the contents are encrypted.

Detecting Phishing and Cryptocurrency Theft using Encrypted Traffic Analysis

Using TLS fingerprinting, an attack was discovered that attempted to steal cryptocurrency from the victim.

cryptotheft attack map

Crypto currency theft attack map

The attack was discovered by identifying activity to paste sites (like pastebin) from unique TLS clients. We analyze fields in the TLS handshake, using JA3 and other techniques, to differentiate sources of TLS traffic. We use this in combination with analytics on the destination. For instance, in this case the victim device was the only one on the entire network seen communicating with ledgerwallet[.]com. Furthermore, this was the first time the domain was seen on the network. This would indicate that this would appear to be an attack targeting an individual user as opposed to the network as a whole.

A Deeper Dive

The JA3 fingerprint we extracted for this communication appeared to identify banking malware as the source. Now I will admit that I have been critical of JA3 fingerprinting in the past, and for good reason. However, in the last year the ja3er database has been created and appears to be actively maintained, making it useful to identify malware by its JA3 fingerprint or possibly identify whether or not TLS traffic is likely sourced by a browser or not.

In this case, the JA3 fingerprint for the activity identified the source as being banking malware as can be seen below.

ja3er database

ja3er database

Our analysis however doesn’t stop there since by itself this could be a false positive, so we need to triage. Awake’s own encrypted traffic analysis identified the source instead as Microsoft Edge. Now we could stop there thinking this is just normal browser traffic but let’s pull the thread a bit more. The advantage of having an underlying forensic engine is you can look forwards and backwards to draw more context.

As you can see in the next screenshot, what we observed was traffic to the domain office365.com, followed by pastebin[.]com and finally ledgerwallet[.] com, all in a relatively quick time frame from the same device using Edge. While the connections are encrypted browser traffic, the sequence of events allows us to deduce this is highly likely the results of clicking a link in an email, followed by C2 and finally execution on the crypto theft.

sequence of attack traffic

Sequence of attack traffic

Key Takeaways

Most organizations have some kind of email security solution in place and look for the obvious phishing attempts. However, this threat detection would likely evade all of those solutions since the traffic itself was encrypted but also since the domains in question range from the highly reputable (office365.com) to the not obviously bad (pastebin.com and ledgerwallet.com). However, when you add the context of the source application used for the communication and the sequence of network activities, it is possible to identify the phishing attempt. Security teams would therefore do well to apply such encrypted traffic analysis techniques that can uncover threats like this which go unnoticed today.

Troy Kent
Troy Kent

Threat Researcher