Sometimes in life, things happen and you just have to take it in stride and accept that you were wrong. You can call it a failure, or if you have a more delicate ego, you can call it a “learning experience”. As a security professional who has only recently been doing enough work outside of my day-job to consider it “research”, I had a failure recently that I’d like to spend a little time talking about. So lean into it with me, and set your sails for fail.
I got to Tokyo on a Saturday and spent a couple of days walking around the city, visiting Comiket and generally indulging in as many nerdy activities as I could possibly stuff into a two-day period before rolling out to support a customer in-country. In preparation, I started to look into some more recent malware activity and tried to fill in some gaps I had on modern mobile malware TTPs before sitting down at a terminal on-the-clock.
A colleague of mine sent me a report on some android malware called “spynote” that seemed interesting, and was filled with hard indicators on the malware. As anyone who has seen one of my talks on the topic of network hunting is surely familiar, there’s nothing I love more in this business than a good thread to pull. Call me Rivers Cuomo and I’ll destroy your sweater if you give me a nice enough thread to pull on.
The particular thread I decided to pull was a file hash for an example of the malware. One of the first things I like to do with file hashes is make the rounds to malware analysis sites where examples of the malware may be present. Chief among the list are virustotal.com and hybrid-analysis.com. (Note: There are a lot of sites out there which one might decide is better than the others, I personally find that hybrid-analysis is well laid out and has enough supporting detail in the analyzed malware to make it one of my first stops.)
What I found on hybrid-analysis was a hash for a piece of malware that seemed to match the description of what I had seen in the report; it was marked as Android malware, and the bad-guy apk was identified by hybrid-analysis as ‘malicious’.
“If you want to destroy my sweater, pull this thread as I walk away.” -Rivers Cuomo
Another thing that I found in the hybrid-analysis review of the file was a certificate registered to an email address that looked a little off. In the context of malware, it’s always a red-flag when you start to find hard identifiers like email addresses static in the malware, or even in a certificate associated with the body of code. Running the email address through domain tools led me to a single domain associated with the email address that had lapsed a few months ago. This was my chance!
Now is a good point in the story to point out my mistake in clear, easy to understand terms…I got too excited.
As an overzealous researcher, I decided to go ahead and register the lapsed domain thinking that there was a chance that if malware was associated with the domain, I’d have some traffic associated with the campaign tied to the certificate in a practice referred to as “sinkholing”. Honestly, it wasn’t an unreasonable expectation, but in my excitement, I underestimated the potential for things to not quite work out the way I would have liked them to.
The moral of the story here is that things don’t always work out the way you think they will, but that doesn’t make the experience worthless. I learned a lot from this failure and now that you’ve read this post, you can too!