0
1
00:00:10,640 --> 00:00:15,470
Welcome back everyone to another video expert malware analysis and reverse engineering.
1

2
00:00:15,830 --> 00:00:19,190
We will now proceed with the delivery and exploitation phase.
2

3
00:00:19,490 --> 00:00:28,370
And from this phase the real malware action begins and that's how we are going to now proceed with much
3

4
00:00:28,370 --> 00:00:32,720
more of hands on exercises rather than theoretical exercises.
4

5
00:00:32,720 --> 00:00:37,910
So before we move ahead let us quickly go through the details of delivery and exploration.
5

6
00:00:37,940 --> 00:00:42,860
And we will again be using the example of Spearphishing e-mail.
6

7
00:00:43,210 --> 00:00:45,150
So what is exactly SpearPhishing.
7

8
00:00:45,260 --> 00:00:51,810
So SpearPhishing is a technique that is used by attackers to basically launch a targeted attack against
8

9
00:00:51,840 --> 00:00:55,670
any given individual or against any given corporate.
9

10
00:00:55,680 --> 00:01:02,370
So if you remember other discussions from our previous videos, we talked about the reconnaissance and weaponization
10

11
00:01:02,400 --> 00:01:08,190
phase and then we said that the attacker collects information about the host or about the target or
11

12
00:01:08,190 --> 00:01:14,450
about the organization and based on the collected information it crafts that the weaponization stage and one
12

13
00:01:14,510 --> 00:01:21,130
once the weaponized file is created it will use a delivery mechanism to kind of initiate the attack
13

14
00:01:21,130 --> 00:01:21,710
pattern.
14

15
00:01:21,990 --> 00:01:26,410
This is what is listed here in step number one two three and four.
15

16
00:01:26,960 --> 00:01:32,020
So what is special about SpearPhishing and how is it different from phishing.
16

17
00:01:32,020 --> 00:01:40,060
Now this is an important difference to understand. A lot of times interviewers in cyber security positions
17

18
00:01:40,080 --> 00:01:45,360
They ask you this question like What is the difference between a fishing attack and a SpearPhishing 
18

19
00:01:45,360 --> 00:01:46,070
attack.
19

20
00:01:46,320 --> 00:01:54,990
Well a fishing attack is a very broad attack where the attackers send malicious e-mail to say thousands 
20

21
00:01:54,990 --> 00:01:56,020
of e-mail addresses.
21

22
00:01:56,040 --> 00:02:03,620
They don't really care about who gets infected or they don't really target a specific individual or organization.
22

23
00:02:03,630 --> 00:02:12,470
Their goal is to target as many people as possible and they send that e-mail to a lot of targets.
23

24
00:02:12,510 --> 00:02:13,920
In SpearPhishing emails, 
24

25
00:02:13,950 --> 00:02:20,970
they are more tailor-made towards particular individual or towards particular organization.
25

26
00:02:20,970 --> 00:02:29,310
Some of the common examples are the CEO scams that you see where some of the particular employees of
26

27
00:02:29,310 --> 00:02:36,150
a company, especially the employees who are working in the finance department are usually scammed by
27

28
00:02:36,150 --> 00:02:42,090
sending an e-mail which looks like it came from the CEO of the company and they would ask him to transfer
28

29
00:02:42,150 --> 00:02:47,840
some money from the official bank account to some other bank account.
29

30
00:02:48,030 --> 00:02:54,400
So that's more about SpearPhishing, where they're specifically targer individuals or organizations.
30

31
00:02:56,240 --> 00:03:00,050
So let us quickly talk about e-mails as a delivery factor.
31

32
00:03:00,050 --> 00:03:05,620
So in the delivery phase once recon and weaponization file has been generated,
32

33
00:03:05,630 --> 00:03:12,920
The attackers can use e-mail as a delivery vector. So it can be targeted phishing attack where the attackers
33

34
00:03:12,950 --> 00:03:21,680
can specifically try and send the e-mails to particular individuals inside the organization.
34

35
00:03:21,680 --> 00:03:28,460
For example people who might have higher accesses within the organization, let's say system administrators
35

36
00:03:28,820 --> 00:03:33,700
if you managed to compromise a system administrator's account then you can get a lot of privileges inside
36

37
00:03:33,710 --> 00:03:35,660
in the network.
37

38
00:03:35,810 --> 00:03:39,020
It is specific to a group of people and organization.
38

39
00:03:39,170 --> 00:03:42,540
It's hard to detect as they are tailor made to look genuine.
39

40
00:03:42,740 --> 00:03:52,190
So for a normal human it might be difficult to really create differences between a legitimate email
40

41
00:03:52,220 --> 00:03:53,860
and SpearPhishing email.
41

42
00:03:54,160 --> 00:04:00,500
Since SpearPhishing e-mails are pretty much targeted, they are very nicely crafted and they would very
42

43
00:04:00,500 --> 00:04:07,620
much look like a legitimate email.  We look at a bunch of examples starting from the next video.
43

44
00:04:07,760 --> 00:04:14,030
So that's the reason why sphere phishing emails are also difficult to detect compared to normal phishing
44

45
00:04:14,150 --> 00:04:21,900
emits. In-case offer email as a delivery vector,  victims are asked to download malicious attachments,
45

46
00:04:21,910 --> 00:04:29,590
click on embedded URLs or reply with sensitive information.
What can be the steps to identify
46

47
00:04:29,590 --> 00:04:31,470
malicious e-mails.
47

48
00:04:31,750 --> 00:04:36,500
You should carefully assess the sender who sent you that e-mail.
48

49
00:04:36,970 --> 00:04:40,300
Don't just go by the display name that comes in.
49

50
00:04:40,300 --> 00:04:46,750
Also look at the e-mail address that was registered for that particular display name because a lot of
50

51
00:04:46,750 --> 00:04:50,770
times the display name might be some something that can be very familiar to you.
51

52
00:04:50,770 --> 00:04:56,470
For example John or Peter or some common name which you might be knowing that particular person.
52

53
00:04:56,470 --> 00:05:01,210
So it's always wise to carefully look at the sender details.
53

54
00:05:01,690 --> 00:05:03,250
Looking at the message body.
54

55
00:05:03,250 --> 00:05:09,280
Now this is slightly on the technical tracks how we look at the message headers to basically see where
55

56
00:05:09,280 --> 00:05:11,880
that e-mail actually originated from.
56

57
00:05:11,890 --> 00:05:13,990
We will be looking into much more details.
57

58
00:05:14,000 --> 00:05:21,780
In next we'll ask you how we can analyze an e-mail message body.
Also carefully assess any embedded
58

59
00:05:21,780 --> 00:05:24,160
links and attachments that are there
59

60
00:05:24,200 --> 00:05:25,530
in the given email
60

61
00:05:25,660 --> 00:05:32,610
This can help you in being much more vigilant and avoid from clicking on unsolicited links or opening
61

62
00:05:32,610 --> 00:05:38,400
any unsafe attachment in your corporate network.
62

63
00:05:38,410 --> 00:05:42,600
So that's all for the delivery phase. 
In the next
63

64
00:05:42,610 --> 00:05:50,350
video, we are going to give much more detail and technical review of how we can analyze SpearPhishing emails.
64

65
00:05:50,830 --> 00:05:52,180
So that's it for this video.
65

66
00:05:52,270 --> 00:05:52,960
Thanks for watching.