During the past year IR teams and security researchers around the world witnessed a rise in the use of legitimate tools and common scripts in malware and APT attacks. This talk will explore the presenters’ research that focused on automating the analysis of PowerShell and Macro/VBA/VBS attacks by building a heuristic-based compiler engine that determines whether a script is malicious or not.
(Source: RSA Conference USA 2017)
Isolating the Ghost in the Machine: Unveiling Post Exploitation Threatsrsac
1. SESSION ID:SESSION ID:
#RSAC
Rotem Salinas
Isolating the Ghost in the Machine:
Unveiling Post Exploitation Threats
HTA-R11
Senior Security Researcher
RSA Security
Rotem.Salinas@rsa.com
@rotemsalinas
Uri Fleyder-Kotler
Advanced Threats Research Lab Manager
RSA Security
Uri.Fleyder@rsa.com
@ufleyder
2. #RSAC
Houston We Have a Problem
2
Agentless/non malware attacks is a rapidly growing threat
Attackers are implementing stealthier methods to bypass defenses
3. #RSAC
Research Goals
3
Goals
Find a way to assess a script’s “maliciousness” automatically
Do it without the potential harm of infection
Make it fast!
Narrow the problem space
VBA
Powershell
Not focused on the code extraction
The same concepts can apply to similar problems
4. #RSAC
The “Imaginary Engine”
4
How can we develop such 1337 imaginary engine
Problem solving in 3 basic steps
Analyze
Brainstorming
Implementation
5. #RSAC
The First Step – Malware Analyst Standpoint
5
Determine
Execution
Flow
Deobfuscate
Find
Suspicious
Activity
Traditional Static Analysis Approach
9. #RSAC
The First Step – The Attacker’s Main Objectives
9
Objectives Indicators
Code execution Prerequisite, Spawning New
Processes/Threads
Persistency Disk operations, Registry operations
Stealth OS manipulation
Enumeration Registry operations, Enumeration
Command & Control / Data Exfiltration Network operations
Lateral Movement Network operations, Enumeration
10. #RSAC
Case Study – Dridex Campaign
10
Peaked during 2015-2016
Used Macro in Office Documents to deploy Dridex variants
Targeted many companies and financial entities around the world
Delivered in a large scale Spam/Spear-Phishing campaigns
12. #RSAC
Case Study 1 – Dridex Campaign
12
Entrypoint – This is where the code starts its execution
Non-Linear Code Execution - GoTo jumping to labels
18. #RSAC
Case Study – Anunak/Carbanak
18
Financial APT
Only 1 submission to VT
Attributed to Anunak Cybergang
Final payload
VBS/Powershell
PE Executable
See Full Analysis in Appendix
19. #RSAC
The Second Step – Brainstorming
19
Common approaches pros and cons
Hooking
— Use available source code or patch existing dll/exe
— Inserting code that would sink certain expressions
— Remove potentially harmful code
Taint Analysis / Symbolic Execution
— Implement an engine that would emulate the language interpreter
— The engine should evaluate each line of code
— Instead of invoking potentially harmful expressions it would sink them
20. #RSAC
We Have a Winner!
20
Symbolic Execution
Pros
— Cannot harm the machine in any way (even if we missed
something)
— We know exactly how it works. NO Reverse Engineering!
— Not limited to specific platform/OS
Cons
— Hard to Implement
— Might lack some language functionality
21. #RSAC
Symbolic Execution: Double Sweep Method
21
First sweep
Global context
— Global variables
— Code
Function declarations
External DLL declarations
22. #RSAC
Symbolic Execution: Double Sweep Method
22
Second sweep
Function code - starts with Entrypoint
Follows execution flow
Executes stubs instead of built-in language functions
Evaluates expressions
— Math
— String manipulation
— Logical expressions (condition evaluation)
24. #RSAC
Lexical Analyzer (Tokenizer)
24
Tokens
Language keywords
Immediate values
— Strings
— Integer/numeric values
— Floating point values
— Arrays/compound data-types
Identifiers – variable names, function names, object names
Operators – math, bitwise, logical, string manipulation
* Diagram courtesy of David Beazley
25. #RSAC
Syntax Analyzer (Parser)
25
Parses a language syntax according to the tokenized output from the
lexer
The language syntax/grammar is defined by multiple functions
Each function represents a BNF expression and will pass the
parsed/extracted values to the next function inline according to the
BNF statement
* Diagram courtesy of David Beazley
41. #RSAC
Obfuscation As Heuristics
41
Obfuscation can be a strong indicator for malicious behavior
Examples
Object returned from function call
Object created from function call return value string
42. #RSAC
Obfuscation As Heuristics – More Examples
42
More Examples
Self modifying code (during runtime)
Data read from controls embedded in the document is considered suspicious
51. #RSAC
VBA – COM Object Creation – Network Activity
51
Rule of thumb - If your Office Documents are communicating you are
in serious trouble
Network Activity - COM Objects
Microsoft.XMLHTTP
MSXML2.SERVERXMLHTTP.6.0
MSXML2.SERVERXMLHTTP
MSXML2.XMLHTTP
WinHttp.WinHttpRequest.5.1
WinHttp.WinHttpRequest
InternetExplorer.Application
56. #RSAC
VBA – Built-In Functions
56
CreateObject – Create COM object by String Object Name
GetObject – Create WMI/COM object
Eval – Covered In Self-Modifying
ExecuteGlobal – VBS specific
CallByName – Calls a Function/Method by string name
Shell – Executes a Command
Environ – Evaluates Environment Variables
Kill – Deletes a File
Application.Run – Calls a Function by String Name
62. #RSAC
Appendix – Case Study 1 A - Dridex
62
Entrypoint – This is where the code starts its execution
Non-Linear Code Execution - GoTo jumping to labels
76. #RSAC
Appendix – Case Study 2 - Ananuk
76
Beacon and Deploy final Payload
De-Obfuscate
77. #RSAC
Appendix – Case Study 2 - Ananuk
77
Beacon Command & Control – Phase 1
Deobfuscate
78. #RSAC
Appendix – Case Study 2 - Ananuk
78
Beacon Command & Control – Phase 2
Deobfuscate
79. #RSAC
Appendix – Case Study 2 - Ananuk
79
Deploy Base64 Payload
Write Base64 Decoded Payload
to Temp Path
Execute Payload
80. #RSAC
Appendix – Case Study 2 - Ananuk
80
Analyzing Payload 1
Payload is an icon
Used for credibility
Attempts to gain persistency on the
Victim’s machine both by using known
Autorun registry paths and by creating
A scheduled task using the schtasks command
84. #RSAC
Powershell Techniques - Add-Type .NET code injection
84
Creation of a new type/class using .NET code
Creating an instance of the class
and invoking it’s Start method
85. #RSAC
Powershell Techniques – New-Object
85
Creating an object instance
In this example System.Net.WebClient instance is created in order to
download a file
86. #RSAC
Powershell Techniques - Invoke-WmiMethod
86
Using WMI for enumeration and system maniupulation
In this case creating a key in the windows registry
87. #RSAC
Powershell Techniques - DLL loading
87
Resolving Native Win32 API functions
$module = “kernel32.dll”
API Function to
be resolved
88. #RSAC
Powershell Techniques - New-Object -com
88
Similarly to the COM objects in VBA
The same COM objects can be used in Powershell using this command
89. #RSAC
Powershell Techniques Obfuscation
89
Obfuscation methods in Powershell
Adding Ticks (Escapes special characters but ignored if used non-
special characters) + Lowercase/Uppercase
String Concatenation/Manipulation
Get-Command + WildCards + Aliases
Invoke-Expression
90. #RSAC
Powershell Techniques Obfuscation - Base64
90
Base64 using .NET classes
CertUtil
By Executing the certutil tool as a command
certutil -decode encodedInputFileName decodedOutputFileName
91. #RSAC
Case Study 3 – Targeted Spear Phishing Campaign
91
Javascript outer script with obfuscated strings
Base64 encoded payloads
Each string in the list is reversed
A list of string including
commands and base64
Encoded payloads
92. #RSAC
Case Study 3 – Targeted Spear Phishing Campaign
92
Deploys 3 Powershell scripts on the victims machine
Payload 1 – .NET code injection using Add-Type
Creation of a new type/class using .NET code
Creating an instance of the class
and invoking it’s Start method
93. #RSAC
Case Study 3 – Targeted Spear Phishing Campaign
93
Payload 2 – .NET code injection using Add-Type like the 1st payload
Imports multiple Win32 api functions using .NET
94. #RSAC
Case Study 3 – Targeted Spear Phishing Campaign
94
Payload 3 – Downloads TOR Proxifier as scheduled task
95. #RSAC
Case Study 4 – Powersploit + Invoke-Obfuscation
95
Open source project available on GitHub
PowerSploit includes capabilities such as:
Shellcode injection
Reflective DLL injection
WMI
Code execution
Mimikatz – NTLM/LM password dump
Invoke-Obfuscation is a Powershell code obfuscation framework
developed by Daniel Bohannon