Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Visiting the Bear Den

6,392 views

Published on

A journey in the land of (Cyber-) espionage - stunning presentation by ESET researchers Joan Calvet, Jessy Campos and Thomas Dupuy.

Published in: Education
  • Be the first to comment

Visiting the Bear Den

  1. 1. Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1
  2. 2. Sednit Group • Also know as APT28, Fancy Bear, Sofacy, STRONTIUM, Tsar Team • Group of attackers doing targeted attacks since 2006 • Mainly interested into geopolitics 2
  3. 3. 3 Plan • Context • The Week Serge Met The Bear • The Mysterious DOWNDELPH • Speculative Mumblings
  4. 4. CONTEXT What kind of group is Sednit? 4
  5. 5. Who Is The Bear After? (1) • We found a list of targets for Sednit phishing campaigns: – Operators used Bitly and “forgot” to set the profile private (feature now removed from Bitly) – Around 4,000 shortened URLs during 6 months in 2015 5
  6. 6. 6 http://login.accoounts-google.com/url/?continue= cGFyZXBreWl2QGdtYWlsLmNvbQ==&df=UGFraXN0 YW4rRW1iYXNzeStLeWl2&tel=1 Who Is The Bear After? (2)
  7. 7. 6 http://login.accoounts-google.com/url/?continue= cGFyZXBreWl2QGdtYWlsLmNvbQ==&df=UGFraXN0 YW4rRW1iYXNzeStLeWl2&tel=1 Who Is The Bear After? (2) parepkyiv@gmail.com
  8. 8. 6 http://login.accoounts-google.com/url/?continue= cGFyZXBreWl2QGdtYWlsLmNvbQ==&df=UGFraXN0 YW4rRW1iYXNzeStLeWl2&tel=1 Who Is The Bear After? (2) parepkyiv@gmail.com Pakistan+Embassy+Kyiv
  9. 9. 6 http://login.accoounts-google.com/url/?continue= cGFyZXBreWl2QGdtYWlsLmNvbQ==&df=UGFraXN0 YW4rRW1iYXNzeStLeWl2&tel=1 Who Is The Bear After? (2) parepkyiv@gmail.com Pakistan+Embassy+Kyiv
  10. 10. Who Is The Bear After? (3) • Embassies and ministries of more than 40 countries • NATO and EU institutions • “Who’s who” of individuals involved in Eastern Europe politics: – Politicians – Activists – Journalists – Academics – Militaries – … 7
  11. 11. The Bear Has Money • A bag full of 0-day exploits: 8 2015 Apr May Jun Jul Aug Sep Oct CVE-2015-3043 (Flash) CVE-2015-1701 (Windows LPE) CVE-2015-2590 (Java) CVE-2015-4902 (Java click-to-play bypass) CVE-2015-7645 (Flash) CVE-2015-2424 (Office RCE)
  12. 12. The Bear Can Code • Tens of custom-made software used since 2006: – Droppers – Downloaders – Reconnaissance tools – Long-term spying backdoors – Encryption proxy tool – USB C&C channel – Many helper tools – … 9
  13. 13. Disclaimers • Over the last two years we tracked Sednit closely, but of course our visibility is not exhaustive • How do we know it is ONE group? – We don’t – Our Sednit “definition” is based on their toolkit and the related infrastructure • We do not do attribution (but we point out hints that may be used for that) 10
  14. 14. THE WEEK SERGE MET THE BEAR 11
  15. 15. Who Is Serge? • Code name for an imaginary Sednit target • Serge is a government employee with access to sensitive information • The chain of events in Serge’s attack matches several real cases we investigated • We use it as a textbook case to present (a part of) the Sednit toolkit 12
  16. 16. 13 Monday, 9:30AM
  17. 17. Serge Opens an Email 14
  18. 18. Legitimate URL Mimicking 15
  19. 19. Legitimate URL Mimicking 15
  20. 20. Legitimate URL Mimicking 15
  21. 21. Legitimate URL Mimicking 15
  22. 22. 16 Serge clicks on the URL, and…
  23. 23. …Serge Meets SEDKIT • Exploit-kit for targeted attacks • Entry-point URLs mimic legitimate URLs • Usually propagated by targeted phishing emails (also seen with hacked website + iframe) • Period of activity: September 2014 - Now 17
  24. 24. Landing Page (1) Reconnaissance Report Building 18
  25. 25. Landing Page (1) Reconnaissance Report Building 18
  26. 26. Landing Page (1) Reconnaissance Report Building 18
  27. 27. 19
  28. 28. Crawling Sedkit 20
  29. 29. 21 Serge is selected to be exploited…
  30. 30. … and Visits Sednit Exploits Factory Vulnerability Targeted Application Note CVE-2013-1347 Internet Explorer 8 CVE-2013-3897 Internet Explorer 8 CVE-2014-1510 + CVE-2014-1511 Firefox CVE-2014-1776 Internet Explorer 11 CVE-2014-6332 Internet Explorer Several versions N/A MacKeeper CVE-2015-2590 + CVE-2015-4902 Java 0-day* CVE-2015-3043 Adobe Flash 0-day* CVE-2015-5119 Adobe Flash Hacking Team gift CVE-2015-7645 Adobe Flash 0-day* 22 * : At the time SEDKIT dropped them
  31. 31. … and Visits Sednit Exploits Factory Vulnerability Targeted Application Note CVE-2013-1347 Internet Explorer 8 CVE-2013-3897 Internet Explorer 8 CVE-2014-1510 + CVE-2014-1511 Firefox CVE-2014-1776 Internet Explorer 11 CVE-2014-6332 Internet Explorer Several versions N/A MacKeeper CVE-2015-2590 + CVE-2015-4902 Java 0-day* CVE-2015-3043 Adobe Flash 0-day* CVE-2015-5119 Adobe Flash Hacking Team gift CVE-2015-7645 Adobe Flash 0-day* 23 * : At the time SEDKIT dropped them
  32. 32. … and Visits Sednit Exploits Factory Vulnerability Targeted Application Note CVE-2013-1347 Internet Explorer 8 CVE-2013-3897 Internet Explorer 8 CVE-2014-1510 + CVE-2014-1511 Firefox CVE-2014-1776 Internet Explorer 11 CVE-2014-6332 Internet Explorer Several versions N/A MacKeeper CVE-2015-2590 + CVE-2015-4902 Java 0-day* CVE-2015-3043 Adobe Flash 0-day* CVE-2015-5119 Adobe Flash Hacking Team gift CVE-2015-7645 Adobe Flash 0-day* 24 * : At the time SEDKIT dropped them
  33. 33. … and Visits Sednit Exploits Factory Vulnerability Targeted Application Note CVE-2013-1347 Internet Explorer 8 CVE-2013-3897 Internet Explorer 8 CVE-2014-1510 + CVE-2014-1511 Firefox CVE-2014-1776 Internet Explorer 11 CVE-2014-6332 Internet Explorer Several versions N/A MacKeeper CVE-2015-2590 + CVE-2015-4902 Java 0-day* CVE-2015-3043 Adobe Flash 0-day* CVE-2015-5119 Adobe Flash Hacking Team gift CVE-2015-7645 Adobe Flash 0-day* 25 * : At the time SEDKIT dropped them
  34. 34. Revamping CVE-2014-6332 (a.k.a. IE “Unicorn bug”) • October 2015: – Re-use of public PoC to disable VBScript “SafeMode” – Next stage binary downloaded by PowerShell 26
  35. 35. Revamping CVE-2014-6332 (a.k.a. IE “Unicorn bug”) • October 2015: – Re-use of public PoC to disable VBScript “SafeMode” – Next stage binary downloaded by PowerShell • February 2016: – No more “SafeMode” disabling, direct ROP-based shellcode execution – Around 400 lines of VBScript, mostly custom 27
  36. 36. 28
  37. 37. 29
  38. 38. VBScript Framework • Functions: – addToROP() – getROPstringAddress () – Code_section_explorer_7 () – Code_section_explorer_XP() – getNeddedAddresses () – addrToHex () – … 30
  39. 39. VBScript Framework • Functions: – addToROP() – getROPstringAddress () – Code_section_explorer_7 () – Code_section_explorer_XP() – getNeddedAddresses () – addrToHex () – … Have you ever seen this somewhere? (cuz we don’t) 30
  40. 40. 31 Exploit downloads a payload and…
  41. 41. Serge Meets SEDUPLOADER (a.k.a. JHUHUGIT, JKEYSKW) • Downloaded by SEDKIT • Two binaries: the dropper and its embedded payload • Deployed as a first-stage component • Period of activity: March 2015 - Now
  42. 42. SEDUPLOADER DROPPER Workflow Anti- Analysis Payload Dropping Escalating Privileges Payload Persistence
  43. 43. SEDUPLOADER DROPPER Workflow Anti- Analysis Payload Dropping Escalating Privileges Payload Persistence
  44. 44. SEDUPLOADER DROPPER Workflow Anti- Analysis Payload Dropping Escalating Privileges Payload Persistence
  45. 45. SEDUPLOADER DROPPER Workflow Anti- Analysis Payload Dropping Escalating Privileges Payload Persistence • CVE-2015-1701 (0-day) • CVE-2015-2387 ( )
  46. 46. SEDUPLOADER DROPPER Workflow Anti- Analysis Payload Dropping Escalating Privileges Payload Persistence • Windows COM object hijacking • Shell Icon Overlay COM object • Registry key UserInitMprLogonScript • JavaScript code executed within rundll32.exe • Scheduled tasks, Windows service,…
  47. 47. SEDUPLOADER DROPPER Workflow Anti- Analysis Payload Dropping Escalating Privileges Payload Persistence • Windows COM object hijacking • Shell Icon Overlay COM object • Registry key UserInitMprLogonScript • JavaScript code executed within rundll32.exe • Scheduled tasks, Windows service,…
  48. 48. SEDUPLOADER DROPPER Workflow Anti- Analysis Payload Dropping Escalating Privileges Payload Persistence • Windows COM object hijacking Win32/COMpfun • Shell Icon Overlay COM object • Registry key UserInitMprLogonScript • JavaScript code executed within rundll32.exe Win32/Poweliks • Scheduled tasks, Windows service,…
  49. 49. SEDUPLOADER PAYLOAD Workflow Network Link Establishment First Stage Report Parsing C&C Orders
  50. 50. SEDUPLOADER PAYLOAD Workflow Network Link Establishment First Stage Report Parsing C&C Orders
  51. 51. SEDUPLOADER PAYLOAD Workflow Network Link Establishment First Stage Report Parsing C&C Orders Direct Connection
  52. 52. SEDUPLOADER PAYLOAD Workflow Network Link Establishment First Stage Report Parsing C&C Orders Direct Connection C&C Successfully Contacted SUCCESS
  53. 53. SEDUPLOADER PAYLOAD Workflow Network Link Establishment First Stage Report Parsing C&C Orders Direct Connection Via Proxy C&C Successfully Contacted FAIL SUCCESS
  54. 54. SEDUPLOADER PAYLOAD Workflow Network Link Establishment First Stage Report Parsing C&C Orders Direct Connection Via Proxy C&C Successfully Contacted FAIL SUCCESS
  55. 55. SEDUPLOADER PAYLOAD Workflow Network Link Establishment First Stage Report Parsing C&C Orders Direct Connection Via Proxy Inject Into Browsers C&C Successfully Contacted FAIL SUCCESS
  56. 56. SEDUPLOADER PAYLOAD Workflow Network Link Establishment First Stage Report Parsing C&C Orders Direct Connection Via Proxy Inject Into Browsers C&C Successfully Contacted FAIL SUCCESS
  57. 57. SEDUPLOADER PAYLOAD Workflow Network Link Establishment First Stage Report Parsing C&C Orders
  58. 58. SEDUPLOADER PAYLOAD Workflow Network Link Establishment First Stage Report Parsing C&C Orders
  59. 59. East Side Story printf debugging
  60. 60. 46 Serge opens an email leading to SEDKIT, and then SEDUPLOADER 9:30AM Chain of Events Mon Tue Wed Thu Fri
  61. 61. 47 Monday, 10:00AM
  62. 62. …Serge meets SEDRECO • Downloaded by SEDUPLOADER • Backdoor with the ability to load external plugins • Usually deployed as a second stage backdoor to spy on the infected computer • Period of activity : 2012 - Now 48
  63. 63. Dropper • Drops encrypted configuration – In a file (“msd”) – In the Windows Registry • No configuration linked to the payload
  64. 64. Configuration Overview
  65. 65. Configuration Overview XOR KEY
  66. 66. Configuration Overview XOR KEY FIELD SIZES
  67. 67. Configuration Overview (Decrypted)
  68. 68. Configuration Overview (Decrypted) ('600000', '600000', ‘SERGE-PC…', 'kenlynton.com', 'softwaresupportsv.com', 'mtcf', '10000', '600000', '1', 'updmanager.com', '', '', '', '', '', '', '', '', '', '')
  69. 69. Configuration Overview (Decrypted) ('600000', '600000', ‘SERGE-PC…', 'kenlynton.com', 'softwaresupportsv.com', 'mtcf', '10000', '600000', '1', 'updmanager.com', '', '', '', '', '', '', '', '', '', '') Various timeouts
  70. 70. Configuration Overview (Decrypted) ('600000', '600000', ‘SERGE-PC…', 'kenlynton.com', 'softwaresupportsv.com', 'mtcf', '10000', '600000', '1', 'updmanager.com', '', '', '', '', '', '', '', '', '', '') Computer name
  71. 71. Configuration Overview (Decrypted) ('600000', '600000', ‘SERGE-PC…', 'kenlynton.com', 'softwaresupportsv.com', 'mtcf', '10000', '600000', '1', 'updmanager.com', '', '', '', '', '', '', '', '', '', '') Keylogger enabled
  72. 72. Configuration Overview (Decrypted) ('600000', '600000', ‘SERGE-PC…', 'kenlynton.com', 'softwaresupportsv.com', 'mtcf', '10000', '600000', '1', 'updmanager.com', '', '', '', '', '', '', '', '', '', '') C&C servers
  73. 73. Configuration Overview (Decrypted) ('600000', '600000', ‘SERGE-PC…', 'kenlynton.com', 'softwaresupportsv.com', 'mtcf', '10000', '600000', '1', 'updmanager.com', '', '', '', '', '', '', '', '', '', '') Operation name (rhst, rhbp, mctf, mtqs)
  74. 74. Configuration Overview (Decrypted) ('600000', '600000', ‘SERGE-PC…', 'kenlynton.com', 'softwaresupportsv.com', 'mtcf', '10000', '600000', '1', 'updmanager.com', '', '', '', '', '', '', '', '', '', '') Plugins list
  75. 75. Payload
  76. 76. Payload
  77. 77. Payload
  78. 78. Payload
  79. 79. Payload
  80. 80. Payload
  81. 81. Payload
  82. 82. Payload
  83. 83. Payload
  84. 84. Extending The Core (1) • Plugins are DLLs loaded in the same address space • Plugins receive arguments from the core:
  85. 85. Extending The Core (1) • Plugins are DLLs loaded in the same address space • Plugins receive arguments from the core:
  86. 86. Extending The Core (1) • Plugins are DLLs loaded in the same address space • Plugins receive arguments from the core:
  87. 87. Extending The Core (2)
  88. 88. Extending The Core (2) New command
  89. 89. 55 Serge opens an email leading to SEDKIT, and then SEDUPLOADER 9:30AM SEDRECO deployment 10:00AM Chain of Events Mon Tue Wed Thu Fri
  90. 90. 56 Monday, 2:00PM
  91. 91. Serge Meets XAGENT (a.k.a SPLM, CHOPSTICK) • Downloaded by SEDUPLOADER • Modular backdoor developed in C++ with Windows, Linux and iOS versions • Deployed in most Sednit operations, usually after the reconnaissance phase • Period of activity: November 2012 - Now 57
  92. 92. 58
  93. 93. 59
  94. 94. • Linux XAGENT, compiled in July 2015 59
  95. 95. • Linux XAGENT, compiled in July 2015 • ~ 18,000 lines of code in 59 classes 59
  96. 96. • Linux XAGENT, compiled in July 2015 • ~ 18,000 lines of code in 59 classes • Derives from Windows version: 59
  97. 97. • Linux XAGENT, compiled in July 2015 • ~ 18,000 lines of code in 59 classes • Derives from Windows version: • XAGENT major version 2, but matches the logic of currently distributed binaries (version 3) 59
  98. 98. Such Comments 60 <- That’s a lot
  99. 99. 61 main.cpp
  100. 100. 61 main.cpp
  101. 101. 61 main.cpp
  102. 102. 61 main.cpp
  103. 103. 61 main.cpp
  104. 104. 61 main.cpp
  105. 105. 62 Translates messages from modules for the C&C server Translates messages from the C&C server for modules AgentKernel::run() AgentKernel RemoteShell FSModule Keylogger Channel Controller Modules C&C SERVER Unencrypted messages Encrypted messages Communication Workflow XAGENT INFECTED COMPUTER
  106. 106. 62 Translates messages from modules for the C&C server Translates messages from the C&C server for modules AgentKernel::run() AgentKernel RemoteShell FSModule Keylogger Channel Controller Modules C&C SERVER Unencrypted messages Encrypted messages Communication Workflow XAGENT INFECTED COMPUTER
  107. 107. 62 Translates messages from modules for the C&C server Translates messages from the C&C server for modules AgentKernel::run() AgentKernel RemoteShell FSModule Keylogger Channel Controller Modules C&C SERVER Unencrypted messages Encrypted messages Communication Workflow XAGENT INFECTED COMPUTER
  108. 108. 62 Translates messages from modules for the C&C server Translates messages from the C&C server for modules AgentKernel::run() AgentKernel RemoteShell FSModule Keylogger Channel Controller Modules C&C SERVER Unencrypted messages Encrypted messages Communication Workflow XAGENT INFECTED COMPUTER
  109. 109. 62 Translates messages from modules for the C&C server Translates messages from the C&C server for modules AgentKernel::run() AgentKernel RemoteShell FSModule Keylogger Channel Controller Modules C&C SERVER Unencrypted messages Encrypted messages Communication Workflow XAGENT INFECTED COMPUTER
  110. 110. 62 Translates messages from modules for the C&C server Translates messages from the C&C server for modules AgentKernel::run() AgentKernel RemoteShell FSModule Keylogger Channel Controller Modules C&C SERVER Unencrypted messages Encrypted messages Communication Workflow XAGENT INFECTED COMPUTER
  111. 111. 62 Translates messages from modules for the C&C server Translates messages from the C&C server for modules AgentKernel::run() AgentKernel RemoteShell FSModule Keylogger Channel Controller Modules C&C SERVER Unencrypted messages Encrypted messages Communication Workflow XAGENT INFECTED COMPUTER
  112. 112. 62 Translates messages from modules for the C&C server Translates messages from the C&C server for modules AgentKernel::run() AgentKernel RemoteShell FSModule Keylogger Channel Controller Modules C&C SERVER Unencrypted messages Encrypted messages Channel (HTTP or emails) Communication Workflow XAGENT INFECTED COMPUTER
  113. 113. Emails Channel (1) Workflow 63 exfil@gmail.com orders@gmail.comXAGENT INFECTED COMPUTER USING MailChannel C&C SERVER
  114. 114. Emails Channel (1) Workflow 63 exfil@gmail.com orders@gmail.comXAGENT INFECTED COMPUTER USING MailChannel SMTPS C&C SERVER
  115. 115. Emails Channel (1) Workflow 63 exfil@gmail.com orders@gmail.comXAGENT INFECTED COMPUTER USING MailChannel SMTPS POP3S C&C SERVER
  116. 116. Emails Channel (1) Workflow 63 exfil@gmail.com orders@gmail.comXAGENT INFECTED COMPUTER USING MailChannel SMTPS POP3S SMTPS C&C SERVER
  117. 117. Emails Channel (1) Workflow 63 exfil@gmail.com orders@gmail.comXAGENT INFECTED COMPUTER USING MailChannel SMTPS POP3S POP3S SMTPS C&C SERVER
  118. 118. Emails Channel (1) Workflow 63 exfil@gmail.com orders@gmail.comXAGENT INFECTED COMPUTER USING MailChannel SMTPS POP3S POP3S SMTPS C&C SERVER An email-based C&C protocol needs to provide: 1. A way to distinguish C&C emails from unrelated emails 2. A way to bypass spam filters
  119. 119. Email Channel (2) P2Scheme, a.k.a “Level 2 Protocol” 64
  120. 120. Email Channel (2) P2Scheme, a.k.a “Level 2 Protocol” 64 KEY SUBJ_TOKEN ^ KEY XAGENT_ID ^ KEY base64 0 5 12 16
  121. 121. Email Channel (2) P2Scheme, a.k.a “Level 2 Protocol” 64 KEY SUBJ_TOKEN ^ KEY XAGENT_ID ^ KEY base64 0 5 12 16
  122. 122. Email Channel (3) Georgian Protocol 65
  123. 123. Email Channel (3) Georgian Protocol 65 Georgian national ID number
  124. 124. Email Channel (3) Georgian Protocol 65 Georgian national ID number “Hello”
  125. 125. Email Channel (3) Georgian Protocol 65 Georgian national ID number “Hello” “detailed” + timestamp
  126. 126. Bonus: XAGENT C&C Infrastructure 66
  127. 127. Bonus: XAGENT C&C Infrastructure 66 Thank you, Google search engine
  128. 128. XAGENT Proxy Server • Python code used between April and June 2015
  129. 129. XAGENT Proxy Server • Python code used between April and June 2015 • ~ 12,200 lines of code
  130. 130. XAGENT Proxy Server • Python code used between April and June 2015 • ~ 12,200 lines of code • Translates email protocol from XAGENT into a HTTP protocol for the C&C server: (over HTTP) P3Protocol XAGENT PROXY BACKEND C&C SERVER INBOX P2Protocol
  131. 131. 68 Serge opens an email leading to SEDKIT, and then SEDUPLOADER 9:30AM SEDRECO deployment 10:00AM XAGENT deployment 02:00PM Chain of Events Mon Tue Wed Thu Fri
  132. 132. 69 Next three days…
  133. 133. Serge Meets Passwords Extractors • SecurityXploded tools (grand classic of Sednit) – Cons: usually detected by AV software • Custom tools, in particular a Windows Live Mail passwords extractor compiled for Serge: 70
  134. 134. Serge Meets Windows Passwords Extractors • From registry hives – Deployed with LPE for CVE-2014-4076 • Good ol’ Mimikatz (“pi.log”) – Deployed with LPE for CVE-2015-1701 71
  135. 135. Serge Meets Screenshoter • Custom tool to take screenshots each time the mouse moves 72
  136. 136. And… Serge Meets XTUNNEL • Network proxy tool to contact machines normally unreachable from Internet • Period of activity: May 2013 - Now 73
  137. 137. 74 SERGE’S COMPUTER (XTUNNEL INFECTED)COMPUTER A (CLEAN) COMPUTER B (CLEAN) INTERNET INTERNAL NETWORK C&C SERVER Initial Situation
  138. 138. 75 SERGE’S COMPUTER (XTUNNEL INFECTED) INTERNET INTERNAL NETWORK Encryption Handshake C&C SERVER COMPUTER A (CLEAN) COMPUTER B (CLEAN)
  139. 139. 75 SERGE’S COMPUTER (XTUNNEL INFECTED) INTERNET INTERNAL NETWORK D5 47 A4 A4.3F 60 6A 0F 3B 36 04 1C.44 4A C8 BD 80 BE 7B 25.8E E6 FC F2 CD 5D 7F 3A.73 1D 59 A5 2D 35 77 F3.B2 1B DF 7D EE 1D 1C F1.AB 91 87 87 … Encryption Handshake D5 47 A4 A4.3F 60 6A 0F 3B 36 04 1C.44 4A C8 BD 80 BE 7B 25.8E E6 FC F2 CD 5D 7F 3A.73 1D 59 A5 2D 35 77 F3.B2 1B DF 7D EE 1D 1C F1.AB 91 87 87 … T T C&C SERVER COMPUTER A (CLEAN) COMPUTER B (CLEAN)
  140. 140. 75 SERGE’S COMPUTER (XTUNNEL INFECTED) INTERNET INTERNAL NETWORK D5 47 A4 A4.3F 60 6A 0F 3B 36 04 1C.44 4A C8 BD 80 BE 7B 25.8E E6 FC F2 CD 5D 7F 3A.73 1D 59 A5 2D 35 77 F3.B2 1B DF 7D EE 1D 1C F1.AB 91 87 87 … Encryption Handshake D5 47 A4 A4.3F 60 6A 0F 3B 36 04 1C.44 4A C8 BD 80 BE 7B 25.8E E6 FC F2 CD 5D 7F 3A.73 1D 59 A5 2D 35 77 F3.B2 1B DF 7D EE 1D 1C F1.AB 91 87 87 … T T RC4 key O C&C SERVER COMPUTER A (CLEAN) COMPUTER B (CLEAN)
  141. 141. 75 SERGE’S COMPUTER (XTUNNEL INFECTED) INTERNET INTERNAL NETWORK D5 47 A4 A4.3F 60 6A 0F 3B 36 04 1C.44 4A C8 BD 80 BE 7B 25.8E E6 FC F2 CD 5D 7F 3A.73 1D 59 A5 2D 35 77 F3.B2 1B DF 7D EE 1D 1C F1.AB 91 87 87 … Encryption Handshake D5 47 A4 A4.3F 60 6A 0F 3B 36 04 1C.44 4A C8 BD 80 BE 7B 25.8E E6 FC F2 CD 5D 7F 3A.73 1D 59 A5 2D 35 77 F3.B2 1B DF 7D EE 1D 1C F1.AB 91 87 87 … T T  Offset O in T  Proof of knowledge of T RC4 key O C&C SERVER COMPUTER A (CLEAN) COMPUTER B (CLEAN)
  142. 142. 76 SERGE’S COMPUTER (XTUNNEL INFECTED) INTERNET INTERNAL NETWORK D5 47 A4 A4.3F 60 6A 0F 3B 36 04 1C.44 4A C8 BD 80 BE 7B 25.8E E6 FC F2 CD 5D 7F 3A.73 1D 59 A5 2D 35 77 F3.B2 1B DF 7D EE 1D 1C F1.AB 91 87 87 … Encryption Handshake D5 47 A4 A4.3F 60 6A 0F 3B 36 04 1C.44 4A C8 BD 80 BE 7B 25.8E E6 FC F2 CD 5D 7F 3A.73 1D 59 A5 2D 35 77 F3.B2 1B DF 7D EE 1D 1C F1.AB 91 87 87 … T T “OK” RC4 key RC4 Key O O C&C SERVER COMPUTER A (CLEAN) COMPUTER B (CLEAN)
  143. 143. 77 C&C SERVER SERGE’S COMPUTER (XTUNNEL INFECTED) INTERNET INTERNAL NETWORK Encryption Handshake RC4-encrypted link COMPUTER A (CLEAN) COMPUTER B (CLEAN)
  144. 144. 78 C&C SERVER SERGE’S COMPUTER (XTUNNEL INFECTED) INTERNET INTERNAL NETWORK Encryption Handshake TLS encapsulation (added in 2014) COMPUTER A (CLEAN) COMPUTER B (CLEAN)
  145. 145. 79 C&C SERVER SERGE’S COMPUTER (XTUNNEL INFECTED) INTERNET INTERNAL NETWORK Tunnels Opening COMPUTER A (CLEAN) COMPUTER B (CLEAN)
  146. 146. 79 C&C SERVER SERGE’S COMPUTER (XTUNNEL INFECTED) INTERNET INTERNAL NETWORK Tunnels Opening COMPUTER A (CLEAN) COMPUTER B (CLEAN)
  147. 147. 79 C&C SERVER SERGE’S COMPUTER (XTUNNEL INFECTED) INTERNET INTERNAL NETWORK Tunnels Opening COMPUTER A (CLEAN) COMPUTER B (CLEAN) Any kind of TCP-based traffic can be tunneled! (PsExec)
  148. 148. 79 C&C SERVER SERGE’S COMPUTER (XTUNNEL INFECTED) INTERNET INTERNAL NETWORK Tunnels Opening COMPUTER A (CLEAN) COMPUTER B (CLEAN) Any kind of TCP-based traffic can be tunneled! (PsExec)
  149. 149. Code Obfuscation (1) • Starting in July 2015 XTUNNEL code was obfuscated (which is two months after the Sednit attack against the German parliament, where XTUNNEL was used) 80
  150. 150. Code Obfuscation (1) • Starting in July 2015 XTUNNEL code was obfuscated (which is two months after the Sednit attack against the German parliament, where XTUNNEL was used) • The obfuscation is a mix of classic syntactic techniques, like insertion of junk code and opaque predicates 80
  151. 151. Code Obfuscation (2) BEFORE AFTER 81
  152. 152. Code Obfuscation (2) BEFORE AFTER 81 Good toy example for automatic desobfuscation magic?
  153. 153. 82 Serge opens an email leading to SEDKIT, and then SEDUPLOADER 9:30AM SEDRECO deployment 10:00AM XAGENT deployment 02:00PM Information exfiltration and lateral movements Chain of Events Mon Tue Wed Thu Fri
  154. 154. 83 Friday, 11:00AM
  155. 155. Long Term Persistence (1) • Special XAGENT copied in Office folder under the name “msi.dll” 84
  156. 156. Long Term Persistence (2) • system32msi.dll is a legitimate Windows DLL needed by Office applications 85
  157. 157. Long Term Persistence (2) • system32msi.dll is a legitimate Windows DLL needed by Office applications • XAGENT msi.dll exports the same function names as the legitimate msi.dll: 85
  158. 158. Long Term Persistence (3) • Each time Serge starts Office, XAGENT msi.dll is loaded (search-order hijacking): – Loads real msi.dll from system32 – Fills its export table with the addresses of the real msi.dll functions – Starts XAGENT malicious logic 86
  159. 159. Long Term Persistence (3) • Each time Serge starts Office, XAGENT msi.dll is loaded (search-order hijacking): – Loads real msi.dll from system32 – Fills its export table with the addresses of the real msi.dll functions – Starts XAGENT malicious logic • Same technique also seen with LINKINFO.dll dropped in C:WINDOWS 86
  160. 160. 87 Serge opens an email leading to SEDKIT, and then SEDUPLOADER 9:30AM SEDRECO deployment 10:00AM XAGENT deployment 02:00PM Long-term persistence method deployment 11:00AM Chain of Events Mon Tue Wed Thu Fri Information exfiltration and lateral movements
  161. 161. THE MYSTERIOUS DOWNDELPH What the hell is going on here ?! 88
  162. 162. Discovery September 2015 • Classic Sednit dropper • Shows a decoy document
  163. 163. What Is In This Dropper?
  164. 164. The Ultimate Boring Component • Delphi downloader, we named it DOWNDELPH (slow clap) • Simple workflow: – Downloads a config (.INI file) – Based on the config, downloads a payload – Executes payload • Persistence method: Run registry key
  165. 165. The Ultimate Boring Component • Delphi downloader, we named it DOWNDELPH (slow clap) • Simple workflow: – Downloads a config (.INI file) – Based on the config, downloads a payload – Executes payload • Persistence method: Run registry key
  166. 166. Let The Hunt Begins 2013 DOWNDELPH Sample Dropper Helper Bootkit Installer DOWNDELPH
  167. 167. Let The Hunt Begins 2013 DOWNDELPH Sample Dropper Helper Bootkit Installer DOWNDELPH • Infects BIOS-based systems • Tested on Windows XP/7, 32bit/64bit • Never been documented
  168. 168. Not So Boring Component
  169. 169. Bootkit Installation MBR Legitimate data First sectors before infection 1ST sector
  170. 170. Malicious MBR Original MBR (1-byte XOR) Hooks (1-byte XOR) Driver (1-byte XOR + RC4) Legitimate Data First sectors before infection First sectors after infection Bootkit Installation 1ST sector 2ND sector
  171. 171. Normal Boot Process Windows 7 x64 BOOTMGR Winload.exe … Real Mode Protected Mode Original MBR Kernel Init
  172. 172. Infected Boot Process Windows 7 x64 Infected MBR BOOTMGR Winload.exe Real Mode Protected Mode Original MBR … Kernel Init
  173. 173. Infected Boot Process Windows 7 x64 Infected MBR BOOTMGR Winload.exe Real Mode Protected Mode Original MBR … Kernel Init
  174. 174. Malicious MBR • Hooks INT 13h handler (low-level read/write operations)
  175. 175. Malicious MBR • Hooks INT 13h handler (low-level read/write operations) • Patches BOOTMGR in memory
  176. 176. Bootkit Workflow Infected MBR BOOTMGR Winload.exe Real Mode Protected Mode Original MBR … Kernel Init
  177. 177. Bootkit Workflow Infected MBR BOOTMGR Winload.exe Real Mode Protected Mode Original MBR Hook … Kernel Init
  178. 178. BOOTMGR Hook • Searches OslArchTransferToKernel() in winload.exe to patch it kd> u winload!OslArchTransferToKernel winload!OslArchTransferToKernel: 00000000`003381f0 e961fdd5ff jmp 00000000`00097f56 Before: After:
  179. 179. Bootkit Workflow Infected MBR BOOTMGR Winload.exe Real Mode Protected Mode Original MBR Hook … Kernel Init
  180. 180. Bootkit Workflow Infected MBR BOOTMGR Winload.exe Real Mode Protected Mode Original MBR Hook Hook … Kernel Init
  181. 181. Winload.exe Hook • Locates MmMapIoSpace • Saves some code in ACPI.sys resources section (and makes the section executable) • Hooks ACPI!GsDriverEntry
  182. 182. Saving Important Information ACPI!GsDriverEntry original opcodes 0: kd> db rbx $$ kernel header address 4d 5a 90 00 03 00 00 00-04 00 00 00 ff ff 00 00 MZ.............. b8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00 ........@....... 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00-00 00 00 00 f8 00 00 00 ................ 00 74 09 00 00 b4 09 cd-21 b8 01 4c cd 21 54 68 .t......!..L.!Th 69 73 20 70 72 6f 67 72-61 6d 20 63 61 6e 6e 6f is program canno 74 20 62 65 20 72 75 6e-20 69 6e 20 44 4f 53 20 t be run in DOS 6d 6f 64 65 2e 0d 0d 0a-24 00 00 00 00 00 00 00 mode....$....... 8a 4a 9e 90 ce 2b f0 c3-ce 2b f0 c3 ce 2b f0 c3 .J...+...+...+.. c7 53 73 c3 aa 2b f0 c3-c7 53 63 c3 c5 2b f0 c3 .Ss..+...Sc..+.. ce 2b f1 c3 a2 2b c0 97-8f 00 00 f8 ff ff 30 fc .+...+........0. 04 00 f2 0f 00 00 48 83-ec 28 4c c3 d4 2b f0 c3 ......H..(L..+.. c7 53 62 c3 cf 2b f0 c3-c7 53 64 c3 cf 2b f0 c3 .Sb..+...Sd..+.. c7 53 61 c3 20 cd a2 02-00 f8 ff ff ce 2b f0 c3 .Sa. ........+.. 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00-50 45 00 00 64 86 18 00 ........PE..d... Bootkit physical address MmMapIoSpace address
  183. 183. Bootkit Workflow Infected MBR BOOTMGR Winload.exe ACPI.sys Real Mode Protected Mode Original MBR Kernel Init Hook Hook …
  184. 184. Bootkit Workflow Infected MBR BOOTMGR Winload.exe ACPI.sys Real Mode Protected Mode Original MBR Kernel Init Hook Hook Hook …
  185. 185. ACPI.sys Hook • Restores ACPI!GsDriverEntry • Maps the bootkit physical address into virtual address space by calling MmMapIoSpace • Decrypts hidden driver
  186. 186. Bootkit Workflow Infected MBR BOOTMGR Winload.exe ACPI.sys Bootkit Driver “Bootkit user-mode component” DOWNDELPH Real Mode Protected Mode Original MBR Kernel Init Hook Hook Hook
  187. 187. Bootkit Workflow Infected MBR BOOTMGR Winload.exe ACPI.sys Bootkit Driver “Bootkit user-mode component” DOWNDELPH Real Mode Protected Mode Original MBR Kernel Init Hook Hook Hook
  188. 188. Bootkit Workflow Infected MBR BOOTMGR Winload.exe ACPI.sys Bootkit Driver “Bootkit user-mode component” DOWNDELPH Real Mode Protected Mode Original MBR Kernel Init Hook Hook Hook
  189. 189. Bootkit Workflow Infected MBR BOOTMGR Winload.exe ACPI.sys Bootkit Driver “Bootkit user-mode component” DOWNDELPH Real Mode Protected Mode Original MBR Kernel Init Hook Hook Hook Why a DLL to load another DLL ?
  190. 190. Who Are You Bootkit? • Missing exported variable in DOWNDELPH
  191. 191. Who Are You Bootkit? • Missing exported variable in DOWNDELPH • Code sharing with BlackEnergy – Relocations fixing – DLL injection calling three exports (“Entry”, “ep_data” and “Dummy”) – …
  192. 192. But It’s Not The End of The Story 2014 DOWNDELPH Samples Dropper Helper Kernel Mode Rootkit DOWNDELPH
  193. 193. Not So Boring Component++
  194. 194. Kernel Mode Rootkit (1) • Registered as a Windows service • Injects DOWNDELPH into explorer.exe (APC) • Hides files, folders and registry keys • Relies on a set of rules: HIDEDRV: >>>>>>>>Hide rules>>>>>>>> rules HIDEDRV: File rules: Device[…]dnscli1.dll HIDEDRV: File rules: Device[…]FsFlt.sys HIDEDRV: Registry rules: REGISTRY[…]FsFlt HIDEDRV: Registry rules: REGISTRY[…]FsFlt HIDEDRV: Registry rules: REGISTRY[…]FsFlt HIDEDRV: Inject dll: C:Windowssystem32mypathcomdnscli1.dll HIDEDRV: Folder rules: DeviceHarddiskVolume1Windowssystem32mypathcom HIDEDRV: <<<<<<<<XXXXX<<<<<<<< rules HIDEDRV: <<<<<<<<Hide rules<<<<<<<< rules
  195. 195. Kernel Mode Rootkit (2) How It Works • Two implementations of the hiding ability: – SSDT hooking – Minifilter driver
  196. 196. Implementation Minifilter
  197. 197. Implementation Minifilter
  198. 198. Implementation Minifilter
  199. 199. Implementation Minifilter
  200. 200. Who Are You Rootkit? • Never documented (to the best of our knowledge) • PDB paths: d:!worketchiBinDebugwin7x86fsflt.pdb d:!worketchideinstaller_kis2013BinDebugwin7x64fsflt.pdb d:newhideinstallerBinDebugwxpx86fsflt.pdb
  201. 201. Who Are You Rootkit? • Never documented (to the best of our knowledge) • PDB paths: d:!worketchiBinDebugwin7x86fsflt.pdb d:!worketchideinstaller_kis2013BinDebugwin7x64fsflt.pdb d:newhideinstallerBinDebugwxpx86fsflt.pdb
  202. 202. Who Are You Rootkit? • Never documented (to the best of our knowledge) • PDB paths: d:!worketchiBinDebugwin7x86fsflt.pdb d:!worketchideinstaller_kis2013BinDebugwin7x64fsflt.pdb d:newhideinstallerBinDebugwxpx86fsflt.pdb
  203. 203. To Summarize • Seven different samples (!) of DOWNDELPH over the past three years • One C&C server was up for two years • Persistence methods: – Bootkit able to infect from Windows XP to Windows 7 – Rootkit • So, WHY such advanced persistence methods for such a simple component? • DOWNDELPH downloaded SEDRECO + XAGENT in a few cases, so SEDNIT related for sure
  204. 204. SPECULATIVE MUMBLINGS 116
  205. 205. Call For Speculation • The diversity of Sednit software is impressive (DOWNDELPH, bootkit, XAGENT, SEDKIT…) • Diversity is good for their operations, as it makes detection and tracking harder • How did they created this software ecosystem? 117
  206. 206. Sednit Development Process (1) Developers Role • Binaries are often compiled specifically for a target, after it has been infected 118 XAGENT SMTP logins/passwords
  207. 207. Sednit Development Process (1) Developers Role • Binaries are often compiled specifically for a target, after it has been infected • Main software evolve regularly (XTUNNEL, SEDUPLOADER, XAGENT…) 118 XAGENT SMTP logins/passwords
  208. 208. Sednit Development Process (1) Developers Role • Binaries are often compiled specifically for a target, after it has been infected • Main software evolve regularly (XTUNNEL, SEDUPLOADER, XAGENT…) 118 Developers are part of the team, not outsiders paid for a one-time job XAGENT SMTP logins/passwords
  209. 209. Sednit Development Process (2) Software Design • Different Sednit software share some techniques: – RC4 keys built as concatenation of a hardcoded value and a randomly generated value (XAGENT, DOWNDELPH, SEDUPLOADER) – Hardcoded “tokens” in network messages (XAGENT, SEDUPLOADER, SEDRECO) 119
  210. 210. Sednit Development Process (2) Software Design • Different Sednit software share some techniques: – RC4 keys built as concatenation of a hardcoded value and a randomly generated value (XAGENT, DOWNDELPH, SEDUPLOADER) – Hardcoded “tokens” in network messages (XAGENT, SEDUPLOADER, SEDRECO) 119 The same developers may be behind this variety of software
  211. 211. Sednit Development Process (3) Programming Errors 120 Linux XAGENT Communications termination
  212. 212. Sednit Development Process (3) Programming Errors 120 Linux XAGENT Communications termination
  213. 213. Sednit Development Process (3) Programming Errors 120 Linux XAGENT Communications termination
  214. 214. Sednit Development Process (3) Programming Errors 120 Linux XAGENT Communications termination
  215. 215. Sednit Development Process (3) Programming Errors 121 XTUNNEL report message
  216. 216. Sednit Development Process (3) Programming Errors 121 XTUNNEL report message Developers do not have a code review process (“hackish” feeling)
  217. 217. Sednit Development Process (4) Seeking Inspiration • SEDUPLOADER employed novel persistence methods also found in crimeware, and shares code with Carberp • DOWNDELPH bootkit code bears some similarities with BlackEnergy code 122
  218. 218. Sednit Development Process (4) Seeking Inspiration • SEDUPLOADER employed novel persistence methods also found in crimeware, and shares code with Carberp • DOWNDELPH bootkit code bears some similarities with BlackEnergy code 122 Developers have ties with the crimeware underground
  219. 219. Sednit Development Process (5) Having Fun 123
  220. 220. Sednit Development Process (5) Having Fun 123 Developers are not working in a formal environment…
  221. 221. Mumblings Summary Sednit has some in-house skilled developers, working with little supervision, and those guys have ties with crimeware underground 124
  222. 222. Conclusion • Sednit activity increased a lot during the last two years (targeted attacks with a LOT of targets) – Heard about the DNC hack last week? • Sednit toolkit in constant evolution, moar fun to come! 125
  223. 223. That’s All Folks! • Feel free to poke us: {calvet,campos,dupuy} .at. esetlabs.com • Whitepaper coming soon!... (“dans deux mois”) 126

×