Successfully reported this slideshow.

Visiting the Bear Den

6

Share

Jun. 21, 2016
6 likes 16,759 views
Upcoming SlideShare
Operation Buhtrap - AVAR 2015
Operation Buhtrap - AVAR 2015
Loading in …3
×
1 of 229
1 of 229

Visiting the Bear Den

Jun. 21, 2016
6 likes 16,759 views

6

Share

Education

A journey in the land of (Cyber-) espionage - stunning presentation by ESET researchers Joan Calvet, Jessy Campos and Thomas Dupuy.

A journey in the land of (Cyber-) espionage - stunning presentation by ESET researchers Joan Calvet, Jessy Campos and Thomas Dupuy.

Education
License: CC Attribution-ShareAlike License

Recommended

More Related Content

Viewers also liked

[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
CODE BLUE
Adversarial Post-Ex: Lessons From The Pros
Justin Warner
Started In Security Now I'm Here
Christopher Grayson
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
CODE BLUE
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
CODE BLUE
Top Security Challenges Facing Credit Unions Today
Chris Gates
Introduction to red team operations
Sunny Neo
Outlook and Exchange for the bad guys
Nick Landers
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CanSecWest
Pentest Apocalypse - SANSFIRE 2016 Edition
Beau Bullock
Weekend Malware Research 2012
Andrew Morris
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Chris Gates
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
Chris Gates
Entomology 101
snyff
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Rob Fuller
Pwning the Enterprise With PowerShell
Beau Bullock
Red Team Apocalypse
Beau Bullock
Top 10 Threats to Cloud Security
SBWebinars
Defcon Crypto Village - OPSEC Concerns in Using Crypto
John Bambenek

Similar to Visiting the Bear Den

Sality peer to_peer_viral_network
Комсс Файквэе
Why are you still getting CryptoLocker?
Aaron Lancaster
Crouching powerpoint, Hidden Trojan
Maarten Van Horenbeeck
How to hide your browser 0-days
Zoltan Balazs
The Supporting Role of Antivirus Evasion while Persisting
CTruncer
DEF CON 20 - Botnets Die Hard - Owned and Operated
Aditya K Sood
Firewalls (Distributed computing)
Sri Prasanna
Incident Response: Validation, Containment & Forensics
Priyanka Aash
2013 Security Threat Report Presentation
Sophos
Ever Present Persistence - Established Footholds Seen in the Wild
CTruncer
Dyre: Emerging Threat on Financial Fraud Landscape
Symantec
ARMITAGE-THE CYBER ATTACK MANAGEMENT
Devil's Cafe
Tactical Exploitation - hdm valsmith
amiable_indian
Hacking techniques
gaurav koriya
Dominique
Shmulik Avidan
20111204 intro malware_livshits_lecture02
Computer Science Club
Cyber Attack Methodologies
Geeks Anonymes
Defending Your Network
Adam Getchell
Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.
Cyphort
Inside TorrentLocker (Cryptolocker) Malware C&C Server
Davide Cioccia

More from ESET

ESET Cybersecurity students
ESET
ESET Cybersecurity training
ESET
How to implement a robust information security management system?
ESET
#AntimalwareDay: The ESET Celebration of the Origins of Computer Defense in N...
ESET
AVAR Sydney 2014: Lemming Aid and Kool Aid: Helping the Community to Help Its...
ESET
ESET Quick Guide to the EU General Data Protection Regulation
ESET
Bootkits: Past, Present & Future - Virus Bulletin
ESET
Advanced Persistent Threats
ESET
Shopping Online
ESET
Banking Online
ESET
Is Anti-Virus Dead?
ESET
Is Linux/Moose endangered or extinct?
ESET
Unpack your troubles*: .NET packer tricks and countermeasures
ESET
ESET: #DoMore With Our Comprehensive Range of Business Products
ESET
ESET: Delivering Benefits to Enterprises
ESET
ESET: Delivering Benefits to Medium and Large Businesses
ESET
#DoMore with ESET
ESET
2014: Mid-Year Threat Review
ESET
Learn more about ESET and our soulutions for mobile platforms
ESET
Trends for 2014: The Challenge of Internet Privacy
ESET

Featured

What to Upload to SlideShare
SlideShare
Be A Great Product Leader (Amplify, Oct 2019)
Adam Nash
Trillion Dollar Coach Book (Bill Campbell)
Eric Schmidt
APIdays Paris 2019 - Innovation @ scale, APIs as Digital Factories' New Machi...
apidays
A few thoughts on work life-balance
Wim Vanderbauwhede
Is vc still a thing final
Mark Suster
The GaryVee Content Model
Gary Vaynerchuk
Mammalian Brain Chemistry Explains Everything
Loretta Breuning, PhD
Blockchain + AI + Crypto Economics Are We Creating a Code Tsunami?
Dinis Guarda
The AI Rush
Jean-Baptiste Dumont
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
Carol Smith
10 facts about jobs in the future
Pew Research Center's Internet & American Life Project
Harry Surden - Artificial Intelligence and Law Overview
Harry Surden
Inside Google's Numbers in 2017
Rand Fishkin
Pinot: Realtime Distributed OLAP datastore
Kishore Gopalakrishna
How to Become a Thought Leader in Your Niche
Leslie Samuel
Visual Design with Data
Seth Familian
Designing Teams for Emerging Challenges
Aaron Irizarry
UX, ethnography and possibilities: for Libraries, Museums and Archives
Ned Potter
Winners and Losers - All the (Russian) President's Men
Ian Bremmer

Related Books

Free with a 14 day trial from Scribd

See all
Now What?: How to Move Forward When We're Divided (About Basically Everything) Sarah Stewart Holland
(3.5/5)
Free
Boundaries Updated and Expanded Edition: When to Say Yes, How to Say No To Take Control of Your Life Henry Cloud
(4/5)
Free
Never Split the Difference: Negotiating As If Your Life Depended On It Chris Voss
(4.5/5)
Free
The Gifts of Imperfection: Let Go of Who You Think You're Supposed to Be and Embrace Who You Are Brené Brown
(4.5/5)
Free
Girl, Wash Your Face: Stop Believing the Lies About Who You Are so You Can Become Who You Were Meant to Be Rachel Hollis
(3.5/5)
Free
A Stolen Life: A Memoir Jaycee Dugard
(4.5/5)
Free
Maybe You Should Talk to Someone: A Therapist, HER Therapist, and Our Lives Revealed Lori Gottlieb
(4.5/5)
Free
Girl, Stop Apologizing: A Shame-Free Plan for Embracing and Achieving Your Goals Rachel Hollis
(3.5/5)
Free
The 7 Habits of Highly Effective People: Powerful Lessons in Personal Change: 25th Anniversary Infographics Edition Stephen R. Covey
(4.5/5)
Free
The 7 Habits of Highly Effective People Personal Workbook Stephen R. Covey
(4/5)
Free
Dry: A Memoir Augusten Burroughs
(4.5/5)
Free
Anxious for Nothing: Finding Calm in a Chaotic World Max Lucado
(4.5/5)
Free
The 7 Habits of Highly Effective People Stephen R. Covey
(4/5)
Free
Decluttering at the Speed of Life: Winning Your Never-Ending Battle with Stuff Dana K. White
(4.5/5)
Free
The Subtle Art of Not Giving a F*ck: A Counterintuitive Approach to Living a Good Life Mark Manson
(4.5/5)
Free
How May I Serve Karen Mathews
(3.5/5)
Free

Related Audiobooks

Free with a 14 day trial from Scribd

See all
Plays Well with Others: The Surprising Science Behind Why Everything You Know About Relationships is (Mostly) Wrong Eric Barker
(5/5)
Free
Be the Love: Seven Ways to Unlock Your Heart and Manifest Happiness Sarah Prout
(0/5)
Free
Radical Confidence: 10 No-BS Lessons on Becoming the Hero of Your Own Life Lisa Bilyeu
(5/5)
Free
Endure: How to Work Hard, Outlast, and Keep Hammering Cameron Hanes
(4.5/5)
Free
I Guess I Haven't Learned That Yet: Discovering New Ways of Living When the Old Ways Stop Working Shauna Niequist
(4.5/5)
Free
The unBalanced Life: 10 Principles for a More Balanced Life Pierre Quinn
(3.5/5)
Free
You're Cute When You're Mad: Simple Steps for Confronting Sexism Scribd Originals Audio
(4/5)
Free
The Four Keys to Sustainable Success Patricia Grabarek PhD
(4.5/5)
Free
Golden: The Power of Silence in a World of Noise Justin Zorn
(4.5/5)
Free
How to Be Perfect: The Correct Answer to Every Moral Question Michael Schur
(4.5/5)
Free
Memory Craft: Improve Your Memory with the Most Powerful Methods in History Lynne Kelly
(4.5/5)
Free
Dad on Pills: Fatherhood and Mental Illness Scribd Originals Audio
(5/5)
Free
How to Notice and Name Emotions Emma McAdam
(4.5/5)
Free
Reshape Your Body Image Stacie Garland
(4/5)
Free
The Expectation Effect: How Your Mindset Can Change Your World David Robson
(4.5/5)
Free
Already Enough: A Path to Self-Acceptance Lisa Olivera
(4.5/5)
Free

Visiting the Bear Den

  1. 1. Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage Joan Calvet Jessy Campos Thomas Dupuy 1
  2. 2. Sednit Group • Also know as APT28, Fancy Bear, Sofacy, STRONTIUM, Tsar Team • Group of attackers doing targeted attacks since 2006 • Mainly interested into geopolitics 2
  3. 3. 3 Plan • Context • The Week Serge Met The Bear • The Mysterious DOWNDELPH • Speculative Mumblings
  4. 4. CONTEXT What kind of group is Sednit? 4
  5. 5. Who Is The Bear After? (1) • We found a list of targets for Sednit phishing campaigns: – Operators used Bitly and “forgot” to set the profile private (feature now removed from Bitly) – Around 4,000 shortened URLs during 6 months in 2015 5
  6. 6. 6 http://login.accoounts-google.com/url/?continue= cGFyZXBreWl2QGdtYWlsLmNvbQ==&df=UGFraXN0 YW4rRW1iYXNzeStLeWl2&tel=1 Who Is The Bear After? (2)
  7. 7. 6 http://login.accoounts-google.com/url/?continue= cGFyZXBreWl2QGdtYWlsLmNvbQ==&df=UGFraXN0 YW4rRW1iYXNzeStLeWl2&tel=1 Who Is The Bear After? (2) parepkyiv@gmail.com
  8. 8. 6 http://login.accoounts-google.com/url/?continue= cGFyZXBreWl2QGdtYWlsLmNvbQ==&df=UGFraXN0 YW4rRW1iYXNzeStLeWl2&tel=1 Who Is The Bear After? (2) parepkyiv@gmail.com Pakistan+Embassy+Kyiv
  9. 9. 6 http://login.accoounts-google.com/url/?continue= cGFyZXBreWl2QGdtYWlsLmNvbQ==&df=UGFraXN0 YW4rRW1iYXNzeStLeWl2&tel=1 Who Is The Bear After? (2) parepkyiv@gmail.com Pakistan+Embassy+Kyiv
  10. 10. Who Is The Bear After? (3) • Embassies and ministries of more than 40 countries • NATO and EU institutions • “Who’s who” of individuals involved in Eastern Europe politics: – Politicians – Activists – Journalists – Academics – Militaries – … 7
  11. 11. The Bear Has Money • A bag full of 0-day exploits: 8 2015 Apr May Jun Jul Aug Sep Oct CVE-2015-3043 (Flash) CVE-2015-1701 (Windows LPE) CVE-2015-2590 (Java) CVE-2015-4902 (Java click-to-play bypass) CVE-2015-7645 (Flash) CVE-2015-2424 (Office RCE)
  12. 12. The Bear Can Code • Tens of custom-made software used since 2006: – Droppers – Downloaders – Reconnaissance tools – Long-term spying backdoors – Encryption proxy tool – USB C&C channel – Many helper tools – … 9
  13. 13. Disclaimers • Over the last two years we tracked Sednit closely, but of course our visibility is not exhaustive • How do we know it is ONE group? – We don’t – Our Sednit “definition” is based on their toolkit and the related infrastructure • We do not do attribution (but we point out hints that may be used for that) 10
  14. 14. THE WEEK SERGE MET THE BEAR 11
  15. 15. Who Is Serge? • Code name for an imaginary Sednit target • Serge is a government employee with access to sensitive information • The chain of events in Serge’s attack matches several real cases we investigated • We use it as a textbook case to present (a part of) the Sednit toolkit 12
  16. 16. 13 Monday, 9:30AM
  17. 17. Serge Opens an Email 14
  18. 18. Legitimate URL Mimicking 15
  19. 19. Legitimate URL Mimicking 15
  20. 20. Legitimate URL Mimicking 15
  21. 21. Legitimate URL Mimicking 15
  22. 22. 16 Serge clicks on the URL, and…
  23. 23. …Serge Meets SEDKIT • Exploit-kit for targeted attacks • Entry-point URLs mimic legitimate URLs • Usually propagated by targeted phishing emails (also seen with hacked website + iframe) • Period of activity: September 2014 - Now 17
  24. 24. Landing Page (1) Reconnaissance Report Building 18
  25. 25. Landing Page (1) Reconnaissance Report Building 18
  26. 26. Landing Page (1) Reconnaissance Report Building 18
  27. 27. 19
  28. 28. Crawling Sedkit 20
  29. 29. 21 Serge is selected to be exploited…
  30. 30. … and Visits Sednit Exploits Factory Vulnerability Targeted Application Note CVE-2013-1347 Internet Explorer 8 CVE-2013-3897 Internet Explorer 8 CVE-2014-1510 + CVE-2014-1511 Firefox CVE-2014-1776 Internet Explorer 11 CVE-2014-6332 Internet Explorer Several versions N/A MacKeeper CVE-2015-2590 + CVE-2015-4902 Java 0-day* CVE-2015-3043 Adobe Flash 0-day* CVE-2015-5119 Adobe Flash Hacking Team gift CVE-2015-7645 Adobe Flash 0-day* 22 * : At the time SEDKIT dropped them
  31. 31. … and Visits Sednit Exploits Factory Vulnerability Targeted Application Note CVE-2013-1347 Internet Explorer 8 CVE-2013-3897 Internet Explorer 8 CVE-2014-1510 + CVE-2014-1511 Firefox CVE-2014-1776 Internet Explorer 11 CVE-2014-6332 Internet Explorer Several versions N/A MacKeeper CVE-2015-2590 + CVE-2015-4902 Java 0-day* CVE-2015-3043 Adobe Flash 0-day* CVE-2015-5119 Adobe Flash Hacking Team gift CVE-2015-7645 Adobe Flash 0-day* 23 * : At the time SEDKIT dropped them
  32. 32. … and Visits Sednit Exploits Factory Vulnerability Targeted Application Note CVE-2013-1347 Internet Explorer 8 CVE-2013-3897 Internet Explorer 8 CVE-2014-1510 + CVE-2014-1511 Firefox CVE-2014-1776 Internet Explorer 11 CVE-2014-6332 Internet Explorer Several versions N/A MacKeeper CVE-2015-2590 + CVE-2015-4902 Java 0-day* CVE-2015-3043 Adobe Flash 0-day* CVE-2015-5119 Adobe Flash Hacking Team gift CVE-2015-7645 Adobe Flash 0-day* 24 * : At the time SEDKIT dropped them
  33. 33. … and Visits Sednit Exploits Factory Vulnerability Targeted Application Note CVE-2013-1347 Internet Explorer 8 CVE-2013-3897 Internet Explorer 8 CVE-2014-1510 + CVE-2014-1511 Firefox CVE-2014-1776 Internet Explorer 11 CVE-2014-6332 Internet Explorer Several versions N/A MacKeeper CVE-2015-2590 + CVE-2015-4902 Java 0-day* CVE-2015-3043 Adobe Flash 0-day* CVE-2015-5119 Adobe Flash Hacking Team gift CVE-2015-7645 Adobe Flash 0-day* 25 * : At the time SEDKIT dropped them
  34. 34. Revamping CVE-2014-6332 (a.k.a. IE “Unicorn bug”) • October 2015: – Re-use of public PoC to disable VBScript “SafeMode” – Next stage binary downloaded by PowerShell 26
  35. 35. Revamping CVE-2014-6332 (a.k.a. IE “Unicorn bug”) • October 2015: – Re-use of public PoC to disable VBScript “SafeMode” – Next stage binary downloaded by PowerShell • February 2016: – No more “SafeMode” disabling, direct ROP-based shellcode execution – Around 400 lines of VBScript, mostly custom 27
  36. 36. 28
  37. 37. 29
  38. 38. VBScript Framework • Functions: – addToROP() – getROPstringAddress () – Code_section_explorer_7 () – Code_section_explorer_XP() – getNeddedAddresses () – addrToHex () – … 30
  39. 39. VBScript Framework • Functions: – addToROP() – getROPstringAddress () – Code_section_explorer_7 () – Code_section_explorer_XP() – getNeddedAddresses () – addrToHex () – … Have you ever seen this somewhere? (cuz we don’t) 30
  40. 40. 31 Exploit downloads a payload and…
  41. 41. Serge Meets SEDUPLOADER (a.k.a. JHUHUGIT, JKEYSKW) • Downloaded by SEDKIT • Two binaries: the dropper and its embedded payload • Deployed as a first-stage component • Period of activity: March 2015 - Now
  42. 42. SEDUPLOADER DROPPER Workflow Anti- Analysis Payload Dropping Escalating Privileges Payload Persistence
  43. 43. SEDUPLOADER DROPPER Workflow Anti- Analysis Payload Dropping Escalating Privileges Payload Persistence
  44. 44. SEDUPLOADER DROPPER Workflow Anti- Analysis Payload Dropping Escalating Privileges Payload Persistence
  45. 45. SEDUPLOADER DROPPER Workflow Anti- Analysis Payload Dropping Escalating Privileges Payload Persistence • CVE-2015-1701 (0-day) • CVE-2015-2387 ( )
  46. 46. SEDUPLOADER DROPPER Workflow Anti- Analysis Payload Dropping Escalating Privileges Payload Persistence • Windows COM object hijacking • Shell Icon Overlay COM object • Registry key UserInitMprLogonScript • JavaScript code executed within rundll32.exe • Scheduled tasks, Windows service,…
  47. 47. SEDUPLOADER DROPPER Workflow Anti- Analysis Payload Dropping Escalating Privileges Payload Persistence • Windows COM object hijacking • Shell Icon Overlay COM object • Registry key UserInitMprLogonScript • JavaScript code executed within rundll32.exe • Scheduled tasks, Windows service,…
  48. 48. SEDUPLOADER DROPPER Workflow Anti- Analysis Payload Dropping Escalating Privileges Payload Persistence • Windows COM object hijacking Win32/COMpfun • Shell Icon Overlay COM object • Registry key UserInitMprLogonScript • JavaScript code executed within rundll32.exe Win32/Poweliks • Scheduled tasks, Windows service,…
  49. 49. SEDUPLOADER PAYLOAD Workflow Network Link Establishment First Stage Report Parsing C&C Orders
  50. 50. SEDUPLOADER PAYLOAD Workflow Network Link Establishment First Stage Report Parsing C&C Orders
  51. 51. SEDUPLOADER PAYLOAD Workflow Network Link Establishment First Stage Report Parsing C&C Orders Direct Connection
  52. 52. SEDUPLOADER PAYLOAD Workflow Network Link Establishment First Stage Report Parsing C&C Orders Direct Connection C&C Successfully Contacted SUCCESS
  53. 53. SEDUPLOADER PAYLOAD Workflow Network Link Establishment First Stage Report Parsing C&C Orders Direct Connection Via Proxy C&C Successfully Contacted FAIL SUCCESS
  54. 54. SEDUPLOADER PAYLOAD Workflow Network Link Establishment First Stage Report Parsing C&C Orders Direct Connection Via Proxy C&C Successfully Contacted FAIL SUCCESS
  55. 55. SEDUPLOADER PAYLOAD Workflow Network Link Establishment First Stage Report Parsing C&C Orders Direct Connection Via Proxy Inject Into Browsers C&C Successfully Contacted FAIL SUCCESS
  56. 56. SEDUPLOADER PAYLOAD Workflow Network Link Establishment First Stage Report Parsing C&C Orders Direct Connection Via Proxy Inject Into Browsers C&C Successfully Contacted FAIL SUCCESS
  57. 57. SEDUPLOADER PAYLOAD Workflow Network Link Establishment First Stage Report Parsing C&C Orders
  58. 58. SEDUPLOADER PAYLOAD Workflow Network Link Establishment First Stage Report Parsing C&C Orders
  59. 59. East Side Story printf debugging
  60. 60. 46 Serge opens an email leading to SEDKIT, and then SEDUPLOADER 9:30AM Chain of Events Mon Tue Wed Thu Fri
  61. 61. 47 Monday, 10:00AM
  62. 62. …Serge meets SEDRECO • Downloaded by SEDUPLOADER • Backdoor with the ability to load external plugins • Usually deployed as a second stage backdoor to spy on the infected computer • Period of activity : 2012 - Now 48
  63. 63. Dropper • Drops encrypted configuration – In a file (“msd”) – In the Windows Registry • No configuration linked to the payload
  64. 64. Configuration Overview
  65. 65. Configuration Overview XOR KEY
  66. 66. Configuration Overview XOR KEY FIELD SIZES
  67. 67. Configuration Overview (Decrypted)
  68. 68. Configuration Overview (Decrypted) ('600000', '600000', ‘SERGE-PC…', 'kenlynton.com', 'softwaresupportsv.com', 'mtcf', '10000', '600000', '1', 'updmanager.com', '', '', '', '', '', '', '', '', '', '')
  69. 69. Configuration Overview (Decrypted) ('600000', '600000', ‘SERGE-PC…', 'kenlynton.com', 'softwaresupportsv.com', 'mtcf', '10000', '600000', '1', 'updmanager.com', '', '', '', '', '', '', '', '', '', '') Various timeouts
  70. 70. Configuration Overview (Decrypted) ('600000', '600000', ‘SERGE-PC…', 'kenlynton.com', 'softwaresupportsv.com', 'mtcf', '10000', '600000', '1', 'updmanager.com', '', '', '', '', '', '', '', '', '', '') Computer name
  71. 71. Configuration Overview (Decrypted) ('600000', '600000', ‘SERGE-PC…', 'kenlynton.com', 'softwaresupportsv.com', 'mtcf', '10000', '600000', '1', 'updmanager.com', '', '', '', '', '', '', '', '', '', '') Keylogger enabled
  72. 72. Configuration Overview (Decrypted) ('600000', '600000', ‘SERGE-PC…', 'kenlynton.com', 'softwaresupportsv.com', 'mtcf', '10000', '600000', '1', 'updmanager.com', '', '', '', '', '', '', '', '', '', '') C&C servers
  73. 73. Configuration Overview (Decrypted) ('600000', '600000', ‘SERGE-PC…', 'kenlynton.com', 'softwaresupportsv.com', 'mtcf', '10000', '600000', '1', 'updmanager.com', '', '', '', '', '', '', '', '', '', '') Operation name (rhst, rhbp, mctf, mtqs)
  74. 74. Configuration Overview (Decrypted) ('600000', '600000', ‘SERGE-PC…', 'kenlynton.com', 'softwaresupportsv.com', 'mtcf', '10000', '600000', '1', 'updmanager.com', '', '', '', '', '', '', '', '', '', '') Plugins list
  75. 75. Payload
  76. 76. Payload
  77. 77. Payload
  78. 78. Payload
  79. 79. Payload
  80. 80. Payload
  81. 81. Payload
  82. 82. Payload
  83. 83. Payload
  84. 84. Extending The Core (1) • Plugins are DLLs loaded in the same address space • Plugins receive arguments from the core:
  85. 85. Extending The Core (1) • Plugins are DLLs loaded in the same address space • Plugins receive arguments from the core:
  86. 86. Extending The Core (1) • Plugins are DLLs loaded in the same address space • Plugins receive arguments from the core:
  87. 87. Extending The Core (2)
  88. 88. Extending The Core (2) New command
  89. 89. 55 Serge opens an email leading to SEDKIT, and then SEDUPLOADER 9:30AM SEDRECO deployment 10:00AM Chain of Events Mon Tue Wed Thu Fri
  90. 90. 56 Monday, 2:00PM
  91. 91. Serge Meets XAGENT (a.k.a SPLM, CHOPSTICK) • Downloaded by SEDUPLOADER • Modular backdoor developed in C++ with Windows, Linux and iOS versions • Deployed in most Sednit operations, usually after the reconnaissance phase • Period of activity: November 2012 - Now 57
  92. 92. 58
  93. 93. 59
  94. 94. • Linux XAGENT, compiled in July 2015 59
  95. 95. • Linux XAGENT, compiled in July 2015 • ~ 18,000 lines of code in 59 classes 59
  96. 96. • Linux XAGENT, compiled in July 2015 • ~ 18,000 lines of code in 59 classes • Derives from Windows version: 59
  97. 97. • Linux XAGENT, compiled in July 2015 • ~ 18,000 lines of code in 59 classes • Derives from Windows version: • XAGENT major version 2, but matches the logic of currently distributed binaries (version 3) 59
  98. 98. Such Comments 60 <- That’s a lot
  99. 99. 61 main.cpp
  100. 100. 61 main.cpp
  101. 101. 61 main.cpp
  102. 102. 61 main.cpp
  103. 103. 61 main.cpp
  104. 104. 61 main.cpp
  105. 105. 62 Translates messages from modules for the C&C server Translates messages from the C&C server for modules AgentKernel::run() AgentKernel RemoteShell FSModule Keylogger Channel Controller Modules C&C SERVER Unencrypted messages Encrypted messages Communication Workflow XAGENT INFECTED COMPUTER
  106. 106. 62 Translates messages from modules for the C&C server Translates messages from the C&C server for modules AgentKernel::run() AgentKernel RemoteShell FSModule Keylogger Channel Controller Modules C&C SERVER Unencrypted messages Encrypted messages Communication Workflow XAGENT INFECTED COMPUTER
  107. 107. 62 Translates messages from modules for the C&C server Translates messages from the C&C server for modules AgentKernel::run() AgentKernel RemoteShell FSModule Keylogger Channel Controller Modules C&C SERVER Unencrypted messages Encrypted messages Communication Workflow XAGENT INFECTED COMPUTER
  108. 108. 62 Translates messages from modules for the C&C server Translates messages from the C&C server for modules AgentKernel::run() AgentKernel RemoteShell FSModule Keylogger Channel Controller Modules C&C SERVER Unencrypted messages Encrypted messages Communication Workflow XAGENT INFECTED COMPUTER
  109. 109. 62 Translates messages from modules for the C&C server Translates messages from the C&C server for modules AgentKernel::run() AgentKernel RemoteShell FSModule Keylogger Channel Controller Modules C&C SERVER Unencrypted messages Encrypted messages Communication Workflow XAGENT INFECTED COMPUTER
  110. 110. 62 Translates messages from modules for the C&C server Translates messages from the C&C server for modules AgentKernel::run() AgentKernel RemoteShell FSModule Keylogger Channel Controller Modules C&C SERVER Unencrypted messages Encrypted messages Communication Workflow XAGENT INFECTED COMPUTER
  111. 111. 62 Translates messages from modules for the C&C server Translates messages from the C&C server for modules AgentKernel::run() AgentKernel RemoteShell FSModule Keylogger Channel Controller Modules C&C SERVER Unencrypted messages Encrypted messages Communication Workflow XAGENT INFECTED COMPUTER
  112. 112. 62 Translates messages from modules for the C&C server Translates messages from the C&C server for modules AgentKernel::run() AgentKernel RemoteShell FSModule Keylogger Channel Controller Modules C&C SERVER Unencrypted messages Encrypted messages Channel (HTTP or emails) Communication Workflow XAGENT INFECTED COMPUTER
  113. 113. Emails Channel (1) Workflow 63 exfil@gmail.com orders@gmail.comXAGENT INFECTED COMPUTER USING MailChannel C&C SERVER
  114. 114. Emails Channel (1) Workflow 63 exfil@gmail.com orders@gmail.comXAGENT INFECTED COMPUTER USING MailChannel SMTPS C&C SERVER
  115. 115. Emails Channel (1) Workflow 63 exfil@gmail.com orders@gmail.comXAGENT INFECTED COMPUTER USING MailChannel SMTPS POP3S C&C SERVER
  116. 116. Emails Channel (1) Workflow 63 exfil@gmail.com orders@gmail.comXAGENT INFECTED COMPUTER USING MailChannel SMTPS POP3S SMTPS C&C SERVER
  117. 117. Emails Channel (1) Workflow 63 exfil@gmail.com orders@gmail.comXAGENT INFECTED COMPUTER USING MailChannel SMTPS POP3S POP3S SMTPS C&C SERVER
  118. 118. Emails Channel (1) Workflow 63 exfil@gmail.com orders@gmail.comXAGENT INFECTED COMPUTER USING MailChannel SMTPS POP3S POP3S SMTPS C&C SERVER An email-based C&C protocol needs to provide: 1. A way to distinguish C&C emails from unrelated emails 2. A way to bypass spam filters
  119. 119. Email Channel (2) P2Scheme, a.k.a “Level 2 Protocol” 64
  120. 120. Email Channel (2) P2Scheme, a.k.a “Level 2 Protocol” 64 KEY SUBJ_TOKEN ^ KEY XAGENT_ID ^ KEY base64 0 5 12 16
  121. 121. Email Channel (2) P2Scheme, a.k.a “Level 2 Protocol” 64 KEY SUBJ_TOKEN ^ KEY XAGENT_ID ^ KEY base64 0 5 12 16
  122. 122. Email Channel (3) Georgian Protocol 65
  123. 123. Email Channel (3) Georgian Protocol 65 Georgian national ID number
  124. 124. Email Channel (3) Georgian Protocol 65 Georgian national ID number “Hello”
  125. 125. Email Channel (3) Georgian Protocol 65 Georgian national ID number “Hello” “detailed” + timestamp
  126. 126. Bonus: XAGENT C&C Infrastructure 66
  127. 127. Bonus: XAGENT C&C Infrastructure 66 Thank you, Google search engine
  128. 128. XAGENT Proxy Server • Python code used between April and June 2015
  129. 129. XAGENT Proxy Server • Python code used between April and June 2015 • ~ 12,200 lines of code
  130. 130. XAGENT Proxy Server • Python code used between April and June 2015 • ~ 12,200 lines of code • Translates email protocol from XAGENT into a HTTP protocol for the C&C server: (over HTTP) P3Protocol XAGENT PROXY BACKEND C&C SERVER INBOX P2Protocol
  131. 131. 68 Serge opens an email leading to SEDKIT, and then SEDUPLOADER 9:30AM SEDRECO deployment 10:00AM XAGENT deployment 02:00PM Chain of Events Mon Tue Wed Thu Fri
  132. 132. 69 Next three days…
  133. 133. Serge Meets Passwords Extractors • SecurityXploded tools (grand classic of Sednit) – Cons: usually detected by AV software • Custom tools, in particular a Windows Live Mail passwords extractor compiled for Serge: 70
  134. 134. Serge Meets Windows Passwords Extractors • From registry hives – Deployed with LPE for CVE-2014-4076 • Good ol’ Mimikatz (“pi.log”) – Deployed with LPE for CVE-2015-1701 71
  135. 135. Serge Meets Screenshoter • Custom tool to take screenshots each time the mouse moves 72
  136. 136. And… Serge Meets XTUNNEL • Network proxy tool to contact machines normally unreachable from Internet • Period of activity: May 2013 - Now 73
  137. 137. 74 SERGE’S COMPUTER (XTUNNEL INFECTED)COMPUTER A (CLEAN) COMPUTER B (CLEAN) INTERNET INTERNAL NETWORK C&C SERVER Initial Situation
  138. 138. 75 SERGE’S COMPUTER (XTUNNEL INFECTED) INTERNET INTERNAL NETWORK Encryption Handshake C&C SERVER COMPUTER A (CLEAN) COMPUTER B (CLEAN)
  139. 139. 75 SERGE’S COMPUTER (XTUNNEL INFECTED) INTERNET INTERNAL NETWORK D5 47 A4 A4.3F 60 6A 0F 3B 36 04 1C.44 4A C8 BD 80 BE 7B 25.8E E6 FC F2 CD 5D 7F 3A.73 1D 59 A5 2D 35 77 F3.B2 1B DF 7D EE 1D 1C F1.AB 91 87 87 … Encryption Handshake D5 47 A4 A4.3F 60 6A 0F 3B 36 04 1C.44 4A C8 BD 80 BE 7B 25.8E E6 FC F2 CD 5D 7F 3A.73 1D 59 A5 2D 35 77 F3.B2 1B DF 7D EE 1D 1C F1.AB 91 87 87 … T T C&C SERVER COMPUTER A (CLEAN) COMPUTER B (CLEAN)
  140. 140. 75 SERGE’S COMPUTER (XTUNNEL INFECTED) INTERNET INTERNAL NETWORK D5 47 A4 A4.3F 60 6A 0F 3B 36 04 1C.44 4A C8 BD 80 BE 7B 25.8E E6 FC F2 CD 5D 7F 3A.73 1D 59 A5 2D 35 77 F3.B2 1B DF 7D EE 1D 1C F1.AB 91 87 87 … Encryption Handshake D5 47 A4 A4.3F 60 6A 0F 3B 36 04 1C.44 4A C8 BD 80 BE 7B 25.8E E6 FC F2 CD 5D 7F 3A.73 1D 59 A5 2D 35 77 F3.B2 1B DF 7D EE 1D 1C F1.AB 91 87 87 … T T RC4 key O C&C SERVER COMPUTER A (CLEAN) COMPUTER B (CLEAN)
  141. 141. 75 SERGE’S COMPUTER (XTUNNEL INFECTED) INTERNET INTERNAL NETWORK D5 47 A4 A4.3F 60 6A 0F 3B 36 04 1C.44 4A C8 BD 80 BE 7B 25.8E E6 FC F2 CD 5D 7F 3A.73 1D 59 A5 2D 35 77 F3.B2 1B DF 7D EE 1D 1C F1.AB 91 87 87 … Encryption Handshake D5 47 A4 A4.3F 60 6A 0F 3B 36 04 1C.44 4A C8 BD 80 BE 7B 25.8E E6 FC F2 CD 5D 7F 3A.73 1D 59 A5 2D 35 77 F3.B2 1B DF 7D EE 1D 1C F1.AB 91 87 87 … T T  Offset O in T  Proof of knowledge of T RC4 key O C&C SERVER COMPUTER A (CLEAN) COMPUTER B (CLEAN)
  142. 142. 76 SERGE’S COMPUTER (XTUNNEL INFECTED) INTERNET INTERNAL NETWORK D5 47 A4 A4.3F 60 6A 0F 3B 36 04 1C.44 4A C8 BD 80 BE 7B 25.8E E6 FC F2 CD 5D 7F 3A.73 1D 59 A5 2D 35 77 F3.B2 1B DF 7D EE 1D 1C F1.AB 91 87 87 … Encryption Handshake D5 47 A4 A4.3F 60 6A 0F 3B 36 04 1C.44 4A C8 BD 80 BE 7B 25.8E E6 FC F2 CD 5D 7F 3A.73 1D 59 A5 2D 35 77 F3.B2 1B DF 7D EE 1D 1C F1.AB 91 87 87 … T T “OK” RC4 key RC4 Key O O C&C SERVER COMPUTER A (CLEAN) COMPUTER B (CLEAN)
  143. 143. 77 C&C SERVER SERGE’S COMPUTER (XTUNNEL INFECTED) INTERNET INTERNAL NETWORK Encryption Handshake RC4-encrypted link COMPUTER A (CLEAN) COMPUTER B (CLEAN)
  144. 144. 78 C&C SERVER SERGE’S COMPUTER (XTUNNEL INFECTED) INTERNET INTERNAL NETWORK Encryption Handshake TLS encapsulation (added in 2014) COMPUTER A (CLEAN) COMPUTER B (CLEAN)
  145. 145. 79 C&C SERVER SERGE’S COMPUTER (XTUNNEL INFECTED) INTERNET INTERNAL NETWORK Tunnels Opening COMPUTER A (CLEAN) COMPUTER B (CLEAN)
  146. 146. 79 C&C SERVER SERGE’S COMPUTER (XTUNNEL INFECTED) INTERNET INTERNAL NETWORK Tunnels Opening COMPUTER A (CLEAN) COMPUTER B (CLEAN)
  147. 147. 79 C&C SERVER SERGE’S COMPUTER (XTUNNEL INFECTED) INTERNET INTERNAL NETWORK Tunnels Opening COMPUTER A (CLEAN) COMPUTER B (CLEAN) Any kind of TCP-based traffic can be tunneled! (PsExec)
  148. 148. 79 C&C SERVER SERGE’S COMPUTER (XTUNNEL INFECTED) INTERNET INTERNAL NETWORK Tunnels Opening COMPUTER A (CLEAN) COMPUTER B (CLEAN) Any kind of TCP-based traffic can be tunneled! (PsExec)
  149. 149. Code Obfuscation (1) • Starting in July 2015 XTUNNEL code was obfuscated (which is two months after the Sednit attack against the German parliament, where XTUNNEL was used) 80
  150. 150. Code Obfuscation (1) • Starting in July 2015 XTUNNEL code was obfuscated (which is two months after the Sednit attack against the German parliament, where XTUNNEL was used) • The obfuscation is a mix of classic syntactic techniques, like insertion of junk code and opaque predicates 80
  151. 151. Code Obfuscation (2) BEFORE AFTER 81
  152. 152. Code Obfuscation (2) BEFORE AFTER 81 Good toy example for automatic desobfuscation magic?
  153. 153. 82 Serge opens an email leading to SEDKIT, and then SEDUPLOADER 9:30AM SEDRECO deployment 10:00AM XAGENT deployment 02:00PM Information exfiltration and lateral movements Chain of Events Mon Tue Wed Thu Fri
  154. 154. 83 Friday, 11:00AM
  155. 155. Long Term Persistence (1) • Special XAGENT copied in Office folder under the name “msi.dll” 84
  156. 156. Long Term Persistence (2) • system32msi.dll is a legitimate Windows DLL needed by Office applications 85
  157. 157. Long Term Persistence (2) • system32msi.dll is a legitimate Windows DLL needed by Office applications • XAGENT msi.dll exports the same function names as the legitimate msi.dll: 85
  158. 158. Long Term Persistence (3) • Each time Serge starts Office, XAGENT msi.dll is loaded (search-order hijacking): – Loads real msi.dll from system32 – Fills its export table with the addresses of the real msi.dll functions – Starts XAGENT malicious logic 86
  159. 159. Long Term Persistence (3) • Each time Serge starts Office, XAGENT msi.dll is loaded (search-order hijacking): – Loads real msi.dll from system32 – Fills its export table with the addresses of the real msi.dll functions – Starts XAGENT malicious logic • Same technique also seen with LINKINFO.dll dropped in C:WINDOWS 86
  160. 160. 87 Serge opens an email leading to SEDKIT, and then SEDUPLOADER 9:30AM SEDRECO deployment 10:00AM XAGENT deployment 02:00PM Long-term persistence method deployment 11:00AM Chain of Events Mon Tue Wed Thu Fri Information exfiltration and lateral movements
  161. 161. THE MYSTERIOUS DOWNDELPH What the hell is going on here ?! 88
  162. 162. Discovery September 2015 • Classic Sednit dropper • Shows a decoy document
  163. 163. What Is In This Dropper?
  164. 164. The Ultimate Boring Component • Delphi downloader, we named it DOWNDELPH (slow clap) • Simple workflow: – Downloads a config (.INI file) – Based on the config, downloads a payload – Executes payload • Persistence method: Run registry key
  165. 165. The Ultimate Boring Component • Delphi downloader, we named it DOWNDELPH (slow clap) • Simple workflow: – Downloads a config (.INI file) – Based on the config, downloads a payload – Executes payload • Persistence method: Run registry key
  166. 166. Let The Hunt Begins 2013 DOWNDELPH Sample Dropper Helper Bootkit Installer DOWNDELPH
  167. 167. Let The Hunt Begins 2013 DOWNDELPH Sample Dropper Helper Bootkit Installer DOWNDELPH • Infects BIOS-based systems • Tested on Windows XP/7, 32bit/64bit • Never been documented
  168. 168. Not So Boring Component
  169. 169. Bootkit Installation MBR Legitimate data First sectors before infection 1ST sector
  170. 170. Malicious MBR Original MBR (1-byte XOR) Hooks (1-byte XOR) Driver (1-byte XOR + RC4) Legitimate Data First sectors before infection First sectors after infection Bootkit Installation 1ST sector 2ND sector
  171. 171. Normal Boot Process Windows 7 x64 BOOTMGR Winload.exe … Real Mode Protected Mode Original MBR Kernel Init
  172. 172. Infected Boot Process Windows 7 x64 Infected MBR BOOTMGR Winload.exe Real Mode Protected Mode Original MBR … Kernel Init
  173. 173. Infected Boot Process Windows 7 x64 Infected MBR BOOTMGR Winload.exe Real Mode Protected Mode Original MBR … Kernel Init
  174. 174. Malicious MBR • Hooks INT 13h handler (low-level read/write operations)
  175. 175. Malicious MBR • Hooks INT 13h handler (low-level read/write operations) • Patches BOOTMGR in memory
  176. 176. Bootkit Workflow Infected MBR BOOTMGR Winload.exe Real Mode Protected Mode Original MBR … Kernel Init
  177. 177. Bootkit Workflow Infected MBR BOOTMGR Winload.exe Real Mode Protected Mode Original MBR Hook … Kernel Init
  178. 178. BOOTMGR Hook • Searches OslArchTransferToKernel() in winload.exe to patch it kd> u winload!OslArchTransferToKernel winload!OslArchTransferToKernel: 00000000`003381f0 e961fdd5ff jmp 00000000`00097f56 Before: After:
  179. 179. Bootkit Workflow Infected MBR BOOTMGR Winload.exe Real Mode Protected Mode Original MBR Hook … Kernel Init
  180. 180. Bootkit Workflow Infected MBR BOOTMGR Winload.exe Real Mode Protected Mode Original MBR Hook Hook … Kernel Init
  181. 181. Winload.exe Hook • Locates MmMapIoSpace • Saves some code in ACPI.sys resources section (and makes the section executable) • Hooks ACPI!GsDriverEntry
  182. 182. Saving Important Information ACPI!GsDriverEntry original opcodes 0: kd> db rbx $$ kernel header address 4d 5a 90 00 03 00 00 00-04 00 00 00 ff ff 00 00 MZ.............. b8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00 ........@....... 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00-00 00 00 00 f8 00 00 00 ................ 00 74 09 00 00 b4 09 cd-21 b8 01 4c cd 21 54 68 .t......!..L.!Th 69 73 20 70 72 6f 67 72-61 6d 20 63 61 6e 6e 6f is program canno 74 20 62 65 20 72 75 6e-20 69 6e 20 44 4f 53 20 t be run in DOS 6d 6f 64 65 2e 0d 0d 0a-24 00 00 00 00 00 00 00 mode....$....... 8a 4a 9e 90 ce 2b f0 c3-ce 2b f0 c3 ce 2b f0 c3 .J...+...+...+.. c7 53 73 c3 aa 2b f0 c3-c7 53 63 c3 c5 2b f0 c3 .Ss..+...Sc..+.. ce 2b f1 c3 a2 2b c0 97-8f 00 00 f8 ff ff 30 fc .+...+........0. 04 00 f2 0f 00 00 48 83-ec 28 4c c3 d4 2b f0 c3 ......H..(L..+.. c7 53 62 c3 cf 2b f0 c3-c7 53 64 c3 cf 2b f0 c3 .Sb..+...Sd..+.. c7 53 61 c3 20 cd a2 02-00 f8 ff ff ce 2b f0 c3 .Sa. ........+.. 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00-50 45 00 00 64 86 18 00 ........PE..d... Bootkit physical address MmMapIoSpace address
  183. 183. Bootkit Workflow Infected MBR BOOTMGR Winload.exe ACPI.sys Real Mode Protected Mode Original MBR Kernel Init Hook Hook …
  184. 184. Bootkit Workflow Infected MBR BOOTMGR Winload.exe ACPI.sys Real Mode Protected Mode Original MBR Kernel Init Hook Hook Hook …
  185. 185. ACPI.sys Hook • Restores ACPI!GsDriverEntry • Maps the bootkit physical address into virtual address space by calling MmMapIoSpace • Decrypts hidden driver
  186. 186. Bootkit Workflow Infected MBR BOOTMGR Winload.exe ACPI.sys Bootkit Driver “Bootkit user-mode component” DOWNDELPH Real Mode Protected Mode Original MBR Kernel Init Hook Hook Hook
  187. 187. Bootkit Workflow Infected MBR BOOTMGR Winload.exe ACPI.sys Bootkit Driver “Bootkit user-mode component” DOWNDELPH Real Mode Protected Mode Original MBR Kernel Init Hook Hook Hook
  188. 188. Bootkit Workflow Infected MBR BOOTMGR Winload.exe ACPI.sys Bootkit Driver “Bootkit user-mode component” DOWNDELPH Real Mode Protected Mode Original MBR Kernel Init Hook Hook Hook
  189. 189. Bootkit Workflow Infected MBR BOOTMGR Winload.exe ACPI.sys Bootkit Driver “Bootkit user-mode component” DOWNDELPH Real Mode Protected Mode Original MBR Kernel Init Hook Hook Hook Why a DLL to load another DLL ?
  190. 190. Who Are You Bootkit? • Missing exported variable in DOWNDELPH
  191. 191. Who Are You Bootkit? • Missing exported variable in DOWNDELPH • Code sharing with BlackEnergy – Relocations fixing – DLL injection calling three exports (“Entry”, “ep_data” and “Dummy”) – …
  192. 192. But It’s Not The End of The Story 2014 DOWNDELPH Samples Dropper Helper Kernel Mode Rootkit DOWNDELPH
  193. 193. Not So Boring Component++
  194. 194. Kernel Mode Rootkit (1) • Registered as a Windows service • Injects DOWNDELPH into explorer.exe (APC) • Hides files, folders and registry keys • Relies on a set of rules: HIDEDRV: >>>>>>>>Hide rules>>>>>>>> rules HIDEDRV: File rules: Device[…]dnscli1.dll HIDEDRV: File rules: Device[…]FsFlt.sys HIDEDRV: Registry rules: REGISTRY[…]FsFlt HIDEDRV: Registry rules: REGISTRY[…]FsFlt HIDEDRV: Registry rules: REGISTRY[…]FsFlt HIDEDRV: Inject dll: C:Windowssystem32mypathcomdnscli1.dll HIDEDRV: Folder rules: DeviceHarddiskVolume1Windowssystem32mypathcom HIDEDRV: <<<<<<<<XXXXX<<<<<<<< rules HIDEDRV: <<<<<<<<Hide rules<<<<<<<< rules
  195. 195. Kernel Mode Rootkit (2) How It Works • Two implementations of the hiding ability: – SSDT hooking – Minifilter driver
  196. 196. Implementation Minifilter
  197. 197. Implementation Minifilter
  198. 198. Implementation Minifilter
  199. 199. Implementation Minifilter
  200. 200. Who Are You Rootkit? • Never documented (to the best of our knowledge) • PDB paths: d:!worketchiBinDebugwin7x86fsflt.pdb d:!worketchideinstaller_kis2013BinDebugwin7x64fsflt.pdb d:newhideinstallerBinDebugwxpx86fsflt.pdb
  201. 201. Who Are You Rootkit? • Never documented (to the best of our knowledge) • PDB paths: d:!worketchiBinDebugwin7x86fsflt.pdb d:!worketchideinstaller_kis2013BinDebugwin7x64fsflt.pdb d:newhideinstallerBinDebugwxpx86fsflt.pdb
  202. 202. Who Are You Rootkit? • Never documented (to the best of our knowledge) • PDB paths: d:!worketchiBinDebugwin7x86fsflt.pdb d:!worketchideinstaller_kis2013BinDebugwin7x64fsflt.pdb d:newhideinstallerBinDebugwxpx86fsflt.pdb
  203. 203. To Summarize • Seven different samples (!) of DOWNDELPH over the past three years • One C&C server was up for two years • Persistence methods: – Bootkit able to infect from Windows XP to Windows 7 – Rootkit • So, WHY such advanced persistence methods for such a simple component? • DOWNDELPH downloaded SEDRECO + XAGENT in a few cases, so SEDNIT related for sure
  204. 204. SPECULATIVE MUMBLINGS 116
  205. 205. Call For Speculation • The diversity of Sednit software is impressive (DOWNDELPH, bootkit, XAGENT, SEDKIT…) • Diversity is good for their operations, as it makes detection and tracking harder • How did they created this software ecosystem? 117
  206. 206. Sednit Development Process (1) Developers Role • Binaries are often compiled specifically for a target, after it has been infected 118 XAGENT SMTP logins/passwords
  207. 207. Sednit Development Process (1) Developers Role • Binaries are often compiled specifically for a target, after it has been infected • Main software evolve regularly (XTUNNEL, SEDUPLOADER, XAGENT…) 118 XAGENT SMTP logins/passwords
  208. 208. Sednit Development Process (1) Developers Role • Binaries are often compiled specifically for a target, after it has been infected • Main software evolve regularly (XTUNNEL, SEDUPLOADER, XAGENT…) 118 Developers are part of the team, not outsiders paid for a one-time job XAGENT SMTP logins/passwords
  209. 209. Sednit Development Process (2) Software Design • Different Sednit software share some techniques: – RC4 keys built as concatenation of a hardcoded value and a randomly generated value (XAGENT, DOWNDELPH, SEDUPLOADER) – Hardcoded “tokens” in network messages (XAGENT, SEDUPLOADER, SEDRECO) 119
  210. 210. Sednit Development Process (2) Software Design • Different Sednit software share some techniques: – RC4 keys built as concatenation of a hardcoded value and a randomly generated value (XAGENT, DOWNDELPH, SEDUPLOADER) – Hardcoded “tokens” in network messages (XAGENT, SEDUPLOADER, SEDRECO) 119 The same developers may be behind this variety of software
  211. 211. Sednit Development Process (3) Programming Errors 120 Linux XAGENT Communications termination
  212. 212. Sednit Development Process (3) Programming Errors 120 Linux XAGENT Communications termination
  213. 213. Sednit Development Process (3) Programming Errors 120 Linux XAGENT Communications termination
  214. 214. Sednit Development Process (3) Programming Errors 120 Linux XAGENT Communications termination
  215. 215. Sednit Development Process (3) Programming Errors 121 XTUNNEL report message
  216. 216. Sednit Development Process (3) Programming Errors 121 XTUNNEL report message Developers do not have a code review process (“hackish” feeling)
  217. 217. Sednit Development Process (4) Seeking Inspiration • SEDUPLOADER employed novel persistence methods also found in crimeware, and shares code with Carberp • DOWNDELPH bootkit code bears some similarities with BlackEnergy code 122
  218. 218. Sednit Development Process (4) Seeking Inspiration • SEDUPLOADER employed novel persistence methods also found in crimeware, and shares code with Carberp • DOWNDELPH bootkit code bears some similarities with BlackEnergy code 122 Developers have ties with the crimeware underground
  219. 219. Sednit Development Process (5) Having Fun 123
  220. 220. Sednit Development Process (5) Having Fun 123 Developers are not working in a formal environment…
  221. 221. Mumblings Summary Sednit has some in-house skilled developers, working with little supervision, and those guys have ties with crimeware underground 124
  222. 222. Conclusion • Sednit activity increased a lot during the last two years (targeted attacks with a LOT of targets) – Heard about the DNC hack last week? • Sednit toolkit in constant evolution, moar fun to come! 125
  223. 223. That’s All Folks! • Feel free to poke us: {calvet,campos,dupuy} .at. esetlabs.com • Whitepaper coming soon!... (“dans deux mois”) 126

×