Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Understanding
Malware
Lateral Spread
Used in High
Value Attacks
NICK
BILOGORSKIY
@belogor
Agenda
o What is Lateral Spread
o Examples of Lateral malware
o Countermeasures
o Wrap-up and Q&A
CyphortLabsT-shirt
House Keeping
• You are on mute
• Enter questions
• Resource list
• Can order t-shirt
• Suggestions for
MMW
Your Speaker Today
Nick Bilogorskiy
@belogor
Director of Security Research
Threat Monitoring &
Research team
________
24X7 monitoring for
malware events
________
Assist customers with
their Forensi...
What is Lateral Spread
Lateral Spread is the
movement of malware
within the same
network.
It is also called
east-west move...
Malware Kill Chain
Kill Chain Progression
Exploit InstallDownload C&C
Lateral
Activity
Data
Exfiltration
Stages
Stage 1
Reconnaissance
• Network hierarchy
• Services used in
servers
• Operating systems
• Check host naming
conve...
Lateral malware
Lateral Malware Case Studies
Diagram source: trendmicro.com
Why is it important?
Breaches go undetected
for six to eight months
Diagram source: cisco.com
Lateral
Malware
Case Studies
Shamoon
Shamoon - August 2012
o Shamoon rendered up to 30,000 computers inoperable at Saudi
Aramco, the national oil compa...
Shamoon
o Installs itself as a service
o Connects home every 5 mins to send stolen data
o Spreads to other Windows hosts v...
Remember the
Sony Breach?
Case Studies
What was stolen and leaked?
In a word, everything!
 Personal data on employees
 Movies and Scripts
 Performance reports...
Destover Workflow Diagram
17
ATTACKER
Spreads via SMB port 445Destover
Command
and
Control
Servers
Drops
WIPER
DROPPER
-w ...
Wiper Switches
The module can be executed with many parameters:
switch description
-i Install itself as a service
-k Remov...
-w Warning
o Drops a decrypted from
resource section webserver
o Runs on the infected machine
with the only purpose of
sho...
-d Delete
o Sends string of “AAAAA”s in a
loop to the Eldos driver
requesting it to write directly
to the hard disk.
o Del...
Dridex
Aka Cridex, Bugat
Financial Trojan
Dridex Trojan
o First seen: Nov 2014
o Target: North American and European Banks
o Distribution: Spam mails with Word Docu...
Conficker
o Devastating worm that infected over 15 million computers through
MS08-067, file shares and removal media
o Mic...
Stuxnet
o Spread using 0-day
exploits and network
file shares
o Disabled 1000 Iran's
nuclear centrifuges
in 2009
Remember the
Target Breach?
Case Studies
Target Breach Malware - BlackPOS
BlackPOS
o November 2013
o 110 million cards stolen
o $500 Million total
exposure to Targ...
How did the breach happen?
o Utility contractor’s Target credentials compromised
o Hackers accessed the Target network
o U...
What is BlackPOS/Potato?
o Malware is a modified version of BlackPos or
Kaptoxa (Russian for Potato).
o
Runs on point of s...
Who wrote BlackPOS/Potato?
o The suspect in the breach is a person called
“Rescator” aka “Hel”. He is part of a larger
hac...
Malware Workflow
30
1. Infect System
o Adds to autostart via
service
o Download and run
memory scraper
2. Steal Info
o Use...
Dissecting the Malware
31
This malware had 2 modules:
o Mmon module – is used for scanning the memory of the POS machine
,...
Dissecting the Target Malware
o Mmon module creates a thread that will upload the stolen
information to another compromise...
More Examples of Lateral Spread Malware
o Allaple
o Bondat
o Bugbear
o Dorkbot
o Gamarue
o Katar
o Kenilfe
o Mytob
o Naril...
Countermeasures
Countermeasures: See
o Threat Intelligence
o Forensics
o Harden the network
o Proactive monitoring
o Look for data exfiltr...
o SMB file traffic
Countermeasures: Find
Countermeasures: Correlate
Inspection
Analytics
Correlation
Internet
Lateral Spread
Lateral DetectionPerimeter Detection
Conclusions
o It is not sufficient to monitor the egress point for threats
o Apply Machine Learning to all malware inspect...
Q&A
Thank You!
Twitter: @belogor
Previous MMW slides on
http://cyphort.com/labs/
malwares-wanted/
Understanding Malware Lateral Spread Used in High Value Attacks
Upcoming SlideShare
Loading in …5
×

Understanding Malware Lateral Spread Used in High Value Attacks

1,152 views

Published on

APTs are known to use advanced Techniques, Tactics, and Procedures (TTP), including advanced malware design with protection layers, sandboxing evasion, and lateral movement inside penetrated networks to seek out high value targets. In this webinar, Nick Bilogorskiy of Cyphort Labs will review various lateral movement techniques and methods used by advanced threats in the past. He will look at some APT samples, e.g. Shamoon, in detail to show the specific steps in the lateral movement by the malware. Understanding the lateral movement of APT should help security defenders to better select and implement protection solutions.

Published in: Technology
  • Be the first to comment

Understanding Malware Lateral Spread Used in High Value Attacks

  1. 1. Understanding Malware Lateral Spread Used in High Value Attacks NICK BILOGORSKIY @belogor
  2. 2. Agenda o What is Lateral Spread o Examples of Lateral malware o Countermeasures o Wrap-up and Q&A CyphortLabsT-shirt
  3. 3. House Keeping • You are on mute • Enter questions • Resource list • Can order t-shirt • Suggestions for MMW
  4. 4. Your Speaker Today Nick Bilogorskiy @belogor Director of Security Research
  5. 5. Threat Monitoring & Research team ________ 24X7 monitoring for malware events ________ Assist customers with their Forensics and Incident Response We enhance malware detection accuracy ________ False positives/negatives ________ Deep-dive research We work with the security ecosystem ________ Contribute to and learn from malware KB ________ Best of 3rd Party threat data
  6. 6. What is Lateral Spread Lateral Spread is the movement of malware within the same network. It is also called east-west movement as opposed to north-south movement.
  7. 7. Malware Kill Chain Kill Chain Progression Exploit InstallDownload C&C Lateral Activity Data Exfiltration
  8. 8. Stages Stage 1 Reconnaissance • Network hierarchy • Services used in servers • Operating systems • Check host naming conventions • Use netstat tool, port scanning Stage 2 Stealing Credentials • Use keyloggers • pwdump tool, mapiget, lslsass, WCE tools • Brute force attacks - guessing passwords • Look for credentials for systems, servers, switches Stage 3 Infiltrating Other Computers • Remotely access desktops and blend in with regular IT support staff • PsExec and WMI tools
  9. 9. Lateral malware Lateral Malware Case Studies Diagram source: trendmicro.com
  10. 10. Why is it important? Breaches go undetected for six to eight months Diagram source: cisco.com
  11. 11. Lateral Malware Case Studies
  12. 12. Shamoon Shamoon - August 2012 o Shamoon rendered up to 30,000 computers inoperable at Saudi Aramco, the national oil company of Saudi Arabia. o Credit claimed by Cutting Sword of Justice
  13. 13. Shamoon o Installs itself as a service o Connects home every 5 mins to send stolen data o Spreads to other Windows hosts via SMB o Uses dictionary of passwords to drop a copy of itself to ADMIN$ network share.
  14. 14. Remember the Sony Breach? Case Studies
  15. 15. What was stolen and leaked? In a word, everything!  Personal data on employees  Movies and Scripts  Performance reports and salary information  Source code, Private keys, passwords, certificates  Production schedules, Box office projections  Executives email correspondence  Brad Pitt phone number! and more..
  16. 16. Destover Workflow Diagram 17 ATTACKER Spreads via SMB port 445Destover Command and Control Servers Drops WIPER DROPPER -w Webserver -d Disk Driver Drops Disk Wiper
  17. 17. Wiper Switches The module can be executed with many parameters: switch description -i Install itself as a service -k Remove the service -d Start file wipe module -s Mount remote shares with hardcoded passwords and delete files from them -m Drop Eldos Software RawDisk kernel driver to wipe MBR -a Start anti-AV module -w Drop and execute webserver to show the ransom message
  18. 18. -w Warning o Drops a decrypted from resource section webserver o Runs on the infected machine with the only purpose of showing the user this ransom message
  19. 19. -d Delete o Sends string of “AAAAA”s in a loop to the Eldos driver requesting it to write directly to the hard disk. o Deletes all files in the system except the files with extension exe and dll o Known to wipe out network drives
  20. 20. Dridex Aka Cridex, Bugat Financial Trojan
  21. 21. Dridex Trojan o First seen: Nov 2014 o Target: North American and European Banks o Distribution: Spam mails with Word Documents, o Infected Users: about 29,000 (Symantec)
  22. 22. Conficker o Devastating worm that infected over 15 million computers through MS08-067, file shares and removal media o Microsoft disabled autorun in response to this worm 15 million computers infected through MS08-067, file shares and removal media
  23. 23. Stuxnet o Spread using 0-day exploits and network file shares o Disabled 1000 Iran's nuclear centrifuges in 2009
  24. 24. Remember the Target Breach? Case Studies
  25. 25. Target Breach Malware - BlackPOS BlackPOS o November 2013 o 110 million cards stolen o $500 Million total exposure to Target (Gartner) o Cards resold on Rescator forum
  26. 26. How did the breach happen? o Utility contractor’s Target credentials compromised o Hackers accessed the Target network o Uploaded malware to a few POS systems o Tested malware efficacy and uploaded to the majority of POS systems o Data drop locations across the world 27 Login from the HVAC contractor Target’s POS updater server Target’s internal server with fileshare Credit card info transfer to internal fileshare Card info infiltration using FTP to external drop location Point of sale network Compromised drop locations
  27. 27. What is BlackPOS/Potato? o Malware is a modified version of BlackPos or Kaptoxa (Russian for Potato). o Runs on point of sale terminals and scans memory for credit card data. o First samples of this malware date back to Jan 2013 and were coded by Rinat Shibaev aka “ree4”, aka “AntiKiller” from Russia. o Malware was sold by Antikiller on hacker forum. However Antikiller is not directly involved in the Target breach. 28 Malware on sale ree4
  28. 28. Who wrote BlackPOS/Potato? o The suspect in the breach is a person called “Rescator” aka “Hel”. He is part of a larger hacker network called “Lampeduza Republic” o Rescator sold the stolen Target card info in bulk in underground markets at a price of $20-45 per card. o Brian Krebs named Andrey Hodirevski from Ukraine as Rescator. 29 Hel
  29. 29. Malware Workflow 30 1. Infect System o Adds to autostart via service o Download and run memory scraper 2. Steal Info o Use memory scraping to find credit card data o Output to a file locally o Send the dump file to exfiltration server via SMB 3. Exfiltrate Info o Periodically scan winxml.dll for updates o Upload information to the FTP server
  30. 30. Dissecting the Malware 31 This malware had 2 modules: o Mmon module – is used for scanning the memory of the POS machine , extract credit card numbers and dump them to a file, then send them to another compromised system inside Target’s network via network share o Bladelogic Uploader module – is used to upload those dumps into an ftp server.
  31. 31. Dissecting the Target Malware o Mmon module creates a thread that will upload the stolen information to another compromised system within Target’s network using a network share with the following credentials: o hostname: 10.116.240.31 o username: ttcopscli3acsBest1_user o password: BackupU$r o Afterwards, it deletes the mapping of the drive to avoid detection. 32
  32. 32. More Examples of Lateral Spread Malware o Allaple o Bondat o Bugbear o Dorkbot o Gamarue o Katar o Kenilfe o Mytob o Narilam o Nimda o Pushbot o Rimecud o Sality o Silly o Vobfus
  33. 33. Countermeasures
  34. 34. Countermeasures: See o Threat Intelligence o Forensics o Harden the network o Proactive monitoring o Look for data exfiltration
  35. 35. o SMB file traffic Countermeasures: Find
  36. 36. Countermeasures: Correlate Inspection Analytics Correlation Internet Lateral Spread Lateral DetectionPerimeter Detection
  37. 37. Conclusions o It is not sufficient to monitor the egress point for threats o Apply Machine Learning to all malware inspection, including lateral spread o Go deep and wide in the network o Correlate north-south and east-west malware movements o Attack malware at each stage of the malware kill-chain.
  38. 38. Q&A Thank You! Twitter: @belogor Previous MMW slides on http://cyphort.com/labs/ malwares-wanted/

×