Meet Scarlett Reynolds, a new starting ICT Sales Representative, for a small technology start up named Eigar Technologies, that’s based in Sydney, Australia.
She studied at Arthur Phillip High School in Parramatta, before graduating in a double degree in IT and Business from UTS in 2013. She’s a virgo and her first car was a ‘96 Corolla, and she doesn’t exist.
Neither does Eigar Technologies. In fact, the name Eigar Technologies is a portmanteau of Eiger, a mountain in the Swiss Alps, and EICAR, the test file associated with Antivirus program validation.
While she may have a range of social media profiles including LinkedIn, Twitter and Facebook, and Eigar Technologies has a domain with email, none of it is real. It’s all an elaborate fraudulent deception created by me.
You see, I like to use a VM for some of my static analysis, but there’s always the concern (and possible benefit) of dynamic analysis in running it. I love the idea of having a realistic honeypot network though to gather more indicators and intelligence from adversaries, but I didn’t want a machine that was so generic it wouldn’t be tempting to access.
So I built myself a hybrid cloud environment, taking advantage of some of the features and functionality of Azure (as well as blending in with a more typical small business).
I built a local VM, installed Sysmon, enabled security features like full powershell logging and created a separate partition for both logging and for storage of malware samples. Then I connected it to a Domain using Azure Active Directory, rather than a local Domain Controller. From an outwards perspective I was still logging into a domain, that domain just happened to be running in Azure.
To add further authenticity I created an always on VPN that connected to an Azure endpoint, so that I could mount an SMB storage account as a file share. SMB shares are a common feature of a network environment - it’s a central point for user profiles and documents to be stored. Plus thanks to the VPN it could circumvent ISPs blocking SMB, and provide it with a local IP address, making it appear more legitimate still.
But still, what company do you know that doesn’t have a email, or some sort of chat client or even just the basics like Microsoft Office? So I bought myself a domain, and an Office365 license - now I had functional email that I could populate with emails from other internal accounts, Microsoft Teams with some chatter to hint at activity and then a sprinkling of fake branding to complete the picture of this start up.
Overall I had something that looked like this:
Then to take it further I created social media accounts so that I could access some of those sites without being restricted and called it a day.
So far this had been looking like a nice little weekend project, I’d built up a fake company with a couple of key users, and was excited to do some analysis and get the brand out there in the hopes of some malware ending in my inbox.
I’d built this at the end of March, over the weekend and had been using it for a few days when the bill came…
Considering it’d only been functional for a few days at this stage, the cost seemed unreasonably high, and not one I could justify. So I deleted the subscription and all within it and called it a day.