Avast Principal Malware Analyst, Michal Krejdl, explains the hacks and lingo from Mr. Robot eps3.8_stage3.torrent
Last week’s episode, like most Mr. Robot episodes, included a flashback and jumped back and forth in time.
The episode includes a scene where AllSafe initially pitches E Corp. I can’t figure out why Mr. Price hired AllSafe, was it because he eyed Angela or because he was in on the 5/9 hack all along? I think there is more to Mr. Price and Angela’s relationship and I hope we get some answers next week, or next season. Poor Angela is not doing very well. The last we see her in this episode is in a robe with a granny style shopping cart about to enter a van with two men in suits. Something tells me that may not end well.
Tyrell, who the FBI set free, gets two unexpected visitors. Mr. Robot, who he tries to beat up, and Mr. Price. Mr. Price tells Tyrell that despite Tyrell being named CTO of E Corp again, he won’t have much say at all. The more important information Mr. Price shares with them, is that he has been involved in the 5/9 hack all along, making them realize that the Dark Army played them.
Elliot shows Darlene Trenton’s email, which explains how the hack can be undone. Apparently, Trenton found out that Romero was monitoring their machines and had the encryption keys were exported the night of the hack, giving them a chance to recover E Corp’s data. If they can find the keys. Elliot explains that they need access to Romero’s keylogger files. The FBI confiscated Romero’s drives, meaning all his data is in the FBI storage system, Sentinel. Darlene offers to take care of getting the encryption keys.
Stefanie: What are keylogger files and how will they help Darlene and Elliot get the encryption keys?
Michal Krejdl, Principal Malware Analyst at Avast: Keyloggers are typically used by cybercriminals to catch keystrokes made on a particular PC, aggregated and sent to a server. You can also filter the set of keystrokes in order to fetch only parts that contain something interesting, such as credentials. After the data is extracted (chunks of keystrokes) and sent to a server, they are stored as keylogger files. This is typically a raw sequence of all keys pressed on the compromised PC. Reading these sequences can, for example, reveal passwords typed by the victim. In this case, Elliot and Darlene want to get their hands on Romero’s keylogger files to undo the 5/9 hack.
Darlene decides to use Dom to get to Sentinel. She sets up a meeting in a bar, to try to steal her FBI access ID credentials using a tool.
Stefanie: What did Darlene use to try to steal Dom’s credentials?
Michal Krejdl, Principal Malware Analyst at Avast: Darlene used a Bishop Fox’s Tastic RFID Thief. RFID stands for Radio frequency identification. The tool is a long-range RFID reader that can steal badge information when the tool is near a badge. The tool silently steals badge information and saves it to a text file on a MicroSD card, so it can later be used for badge cloning.
This fails however, which Darlene realizes when she checks the device in the bar bathroom. She has to resort to other means of getting her hands on Dom’s badge. The two go back to Dom’s apartment, where Darlene seduces Dom to sleep with her. In the middle of the night, Darlene wakes up and opens Dom’s safe. Dom catches Darlene red handed and brings her into the Bureau for interrogation, with Santiago - who remember, is a Dark Army member. Darlene ends up confessing she knows how to undo 5/9 and wants to prove it to them. She then tells them how, which was a stupid move, unless this was part of the plan? She also mentions that “the FBI is obviously in bed with the Dark Army”. Dom, once again, realizes something is up, when Santiago doesn’t want to let Darlene prove that she can revert the 5/9 hack. When will Dom finally trust her gut and confront Santiago about his involvement with the Dark Army?
Elliot in the meantime, meets with the Dark Army. He tells them about a fictitious Stage 3 attack, which would eliminate E Coin, taking down E Corp for good. The Dark Army take Elliot’s laptop and copy information from it, using a USB stick. Pretty stupid move. Elliot later on explains.
Stefanie: We have seen USB sticks be used to spread malware a lot on Mr. Robot. It doesn’t really seem like a wise move, even though the act seems harmless.
Michal Krejdl, Principal Malware Analyst at Avast: You’re right, inserting a USB stick into a computer is typically harmless. However, you should never insert a USB stick into a USB stick if you don’t know what’s on and especially, if you don’t know where the USB stick came from. Users should have antivirus installed on their computers, as antivirus can protect PCs from becoming infected by malware, even if they try to enter the PC via USB stick. A perfect example of this was in season one, when a police officer picks up a USB from a parking lot, a USB stick Darlene loaded with malware. The officer sticks the USB stick into his work computer and BAM! Avast blocks the threat!
In the past, several malware families spread through USB sticks and SD cards. Criminals used an autorun trick to spread malware to Windows users (this has already been addressed by Microsoft). Windows used to have an autorun function, which was intended to serve as "auto play" for installation CDs. The function allowed setups to run once a CD was inserted into the PC. However, the autorun functionality was not limited to CDs only, thus it was easy to write autorun files to any drive, including USBs and SDs. This way, malicious payloads could easily be run, right when an infected USB stick was plugged into the computer.
When the Dark Army operatives malware copies my file to their command and control server it will be queued up for an operator to review its contents. Once opened, my exploit will give me full access to their management interface.
Next week is the last episode of the season, I am curious to see what’s going to happen and what cliff hanger we will be left with at the end!