• Like

Careto: Unmasking a New Level in APT-ware

Uploaded on


More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide
  • Notes …Know your enemyOther resources = DHS, CERT, POS vendors,Infosec vendors, Bank / ACH / etc.Restrict internet access from POS systemsRemote POS hacksTarget market cap impact …~63 in late-Dec~55 at low point (early Feb)~57 nowAbout Remote POS Hacks (http://blog.icorps.com/bid/137975/New-Trend-The-Point-of-Sale-System-Hack) … There are many vulnerabilities within a PoS system - if a system is not properly protected, anyone with an inside knowledge of how the systems work can carry out a hack without much difficulty. Hackers are becoming more skilled, therefore PoS systems that used to be seen as a challenge are not as daunting as before. Because many PoS devices come pre-loaded with an operating system, the inner workings and weaknesses of that system are known to hackers. All they need to do is find an unsecured IP address or hack into a secure Wi-Fi connection if proper protections have not been put in place. A well-known weakness of PoS devices is their Internet printing protocol, which many businesses use for remote printing. Protecting your business against PoS Hacks:There are some simple and straightforward steps you can take to make your system less accessible to hackers, for example:Ensure all Wi-Fi connections on your network are secureAvoid using a Wi-Fi network name that is associated with your businessImplement a lockout system for failed login attemptsAlways change the default password for softwareFollow best practices on secure password creationUpdate your systems as often as possible – manufacturers are usually quick to respond to known vulnerabilities by releasing patches and software updatesHowever, no matter how many precautions you take, there is still likely to be one or more vulnerabilities that you are unaware of. Invest in the future of your business by hiring a reputable IT company to assess your system and identify your existing security risks. 


  • 1. Sponsored by Careto:Unmasking a New Level inAPT-ware © 2014 Monterey Technology Group Inc.
  • 2. Thanks to DanTeal, Sr. Architect © 2014 Monterey Technology Group Inc. www.Lumension.com
  • 3. Preview of Key Points  Installation  Backdoor components  Use of certificates  Exploit sites  Communication  Command and control servers  Exploits used © 2014 Monterey Technology Group Inc.
  • 4. Overview  Used many sources for my research but in particular the 65 page Kaspersky report  380 victims in 31 countries  Targets  Government  Energy, oil and gas  Private companies  Research institutions  Financial  Activists  32 and 64 bitWindows  Linux, Mac and Android  2 main components  Careto  User level, collects system info, runs arbitrary code  SGH  Kernel mode  Rootkit  Intercepts system calls  Steals files  Extensible  Skype, encryption keys, WiFi traffic,keystrokes, screen capture… © 2014 Monterey Technology Group Inc.
  • 5. Initial attack  Began with spear fishing attacks  Videos related to political subjects  Food recipes  Links to malicious server using disguised URLs  After infection redirected to actual resource user expecting © 2014 Monterey Technology Group Inc.
  • 6. Exploit server  Victim first hits java code to profile their endpoint  Browser  Plugins  OS  Version of Office  Java version  Then depending on profile redirected to appropriate subdirectory for their PC profile  Exploits  Java  Signed applets via CVE-2011-3544  Flash  Plugins for Chrome and Firefox  Windows, linux and OS X © 2014 Monterey Technology Group Inc.
  • 7. Exploit to Install  Java exploit 1  Redirected to html file that tries to load run signed java applet  Jar file uses CVE-2011-3544  Pulls an exe out of icon.jpg from the Jar file  Java exploit 2  Uses JNLP files  Claims to be Oracle Java update and ask for permission to install  Another Java exploit apparently tailored for Macs  Flash exploit  Leverages CVE-2012-0773  Originally developed byVUPEN to win the pwn2own contest  First known exploit to defeat Chrome sandbox  Chrome plugin  Relied on users to clickContinue on the Chrome “may harm your computer” warning. © 2014 Monterey Technology Group Inc.
  • 8. Installer  Windows standalone executable installer  Valid signature: TecSystem Ltd., Sofia, BG  Expired 2013.06.28  Extracts the appropriate DLL that hosts the persistent backdoor  32/64 bit named objframe.dll  Saves to either %system% or %appdata% depending on Windows version  Uses or eschews admin authority depending on UAC  Changes file meta data to match kernel.dll  Replaces a COM object in the registry © 2014 Monterey Technology Group Inc.
  • 9. Backdoor persisitence  Objframe.dll activated in every application that uses the hijacked COM object  Primary targetWindows Explorer – perfect  Loads in the hijacked class DLL  Erases itself from the processes module list  Loads another system DLL not used by current process  Then overwrites contents off that DLL in memory with itself  But leaves the module list alone  Disguising its presence  Would have to compare actual memory contents of library to the file on disk © 2014 Monterey Technology Group Inc.
  • 10. Communication withC&C Servers  Now watches for calls to start IE, Chrome or Firefox  Injects itself into the browser  AllC&C communication through the browser  Evade local firewalls  Communicates with C&C servers via http/https GET and POST verbs  C&C server sends back commands  Upload  Execute  System report  Etc © 2014 Monterey Technology Group Inc.
  • 11. SGH module  Even more sophisticated  Careto and SGH can install each other  SGH runs in Kernel mode  Extensible modules include  Skype  Keylogger  File content  Network traffic  Skype  Screenshots  Email messages © 2014 Monterey Technology Group Inc.
  • 12. How could Careto have been defeated? Spearfishing email Malicious URL Java/Flash Exploit Malware executables installed DLL injected Phone home Awareness training Spearfishing Clicking yes on updatesand warnings Web filtering Patching Application Control Memory protection Next Gen Network Protection © 2014 Monterey Technology Group Inc.
  • 13. How do you prevent malware like this?
  • 14. Additional Information Free Security Scanner Tools  Application Scanner – discover all the apps being used in your network  Device Scanner – discover all the devices being used in your network https://www.lumension.com/resources/ premium-security-tools.aspx Reports  Whitepaper “The State of APT Preparedness” from UBM Tech at https://www.lumension.com/resources/ WhitePapers/The-State-of-APT-Preparedness  On-Demand Webcast “Top 9 Mistakes of APT Victims” by Ultimate Windows Security at https://www.lumension.com/resources/ Webcasts/Top-9-Mistakes-of-APT-Victims Free Trial (virtual or download) http://www.lumension.com/endpoint- management-security-suite/free-trial.aspx
  • 15. Additional Information www.lumension.com/endpoint-management-security-suite/buy-now.aspx