Careto: Unmasking a New Level in APT-ware


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Notes …Know your enemyOther resources = DHS, CERT, POS vendors,Infosec vendors, Bank / ACH / etc.Restrict internet access from POS systemsRemote POS hacksTarget market cap impact …~63 in late-Dec~55 at low point (early Feb)~57 nowAbout Remote POS Hacks ( … There are many vulnerabilities within a PoS system - if a system is not properly protected, anyone with an inside knowledge of how the systems work can carry out a hack without much difficulty. Hackers are becoming more skilled, therefore PoS systems that used to be seen as a challenge are not as daunting as before. Because many PoS devices come pre-loaded with an operating system, the inner workings and weaknesses of that system are known to hackers. All they need to do is find an unsecured IP address or hack into a secure Wi-Fi connection if proper protections have not been put in place. A well-known weakness of PoS devices is their Internet printing protocol, which many businesses use for remote printing. Protecting your business against PoS Hacks:There are some simple and straightforward steps you can take to make your system less accessible to hackers, for example:Ensure all Wi-Fi connections on your network are secureAvoid using a Wi-Fi network name that is associated with your businessImplement a lockout system for failed login attemptsAlways change the default password for softwareFollow best practices on secure password creationUpdate your systems as often as possible – manufacturers are usually quick to respond to known vulnerabilities by releasing patches and software updatesHowever, no matter how many precautions you take, there is still likely to be one or more vulnerabilities that you are unaware of. Invest in the future of your business by hiring a reputable IT company to assess your system and identify your existing security risks. 
  • Careto: Unmasking a New Level in APT-ware

    1. 1. Sponsored by Careto:Unmasking a New Level inAPT-ware © 2014 Monterey Technology Group Inc.
    2. 2. Thanks to DanTeal, Sr. Architect © 2014 Monterey Technology Group Inc.
    3. 3. Preview of Key Points  Installation  Backdoor components  Use of certificates  Exploit sites  Communication  Command and control servers  Exploits used © 2014 Monterey Technology Group Inc.
    4. 4. Overview  Used many sources for my research but in particular the 65 page Kaspersky report  380 victims in 31 countries  Targets  Government  Energy, oil and gas  Private companies  Research institutions  Financial  Activists  32 and 64 bitWindows  Linux, Mac and Android  2 main components  Careto  User level, collects system info, runs arbitrary code  SGH  Kernel mode  Rootkit  Intercepts system calls  Steals files  Extensible  Skype, encryption keys, WiFi traffic,keystrokes, screen capture… © 2014 Monterey Technology Group Inc.
    5. 5. Initial attack  Began with spear fishing attacks  Videos related to political subjects  Food recipes  Links to malicious server using disguised URLs  After infection redirected to actual resource user expecting © 2014 Monterey Technology Group Inc.
    6. 6. Exploit server  Victim first hits java code to profile their endpoint  Browser  Plugins  OS  Version of Office  Java version  Then depending on profile redirected to appropriate subdirectory for their PC profile  Exploits  Java  Signed applets via CVE-2011-3544  Flash  Plugins for Chrome and Firefox  Windows, linux and OS X © 2014 Monterey Technology Group Inc.
    7. 7. Exploit to Install  Java exploit 1  Redirected to html file that tries to load run signed java applet  Jar file uses CVE-2011-3544  Pulls an exe out of icon.jpg from the Jar file  Java exploit 2  Uses JNLP files  Claims to be Oracle Java update and ask for permission to install  Another Java exploit apparently tailored for Macs  Flash exploit  Leverages CVE-2012-0773  Originally developed byVUPEN to win the pwn2own contest  First known exploit to defeat Chrome sandbox  Chrome plugin  Relied on users to clickContinue on the Chrome “may harm your computer” warning. © 2014 Monterey Technology Group Inc.
    8. 8. Installer  Windows standalone executable installer  Valid signature: TecSystem Ltd., Sofia, BG  Expired 2013.06.28  Extracts the appropriate DLL that hosts the persistent backdoor  32/64 bit named objframe.dll  Saves to either %system% or %appdata% depending on Windows version  Uses or eschews admin authority depending on UAC  Changes file meta data to match kernel.dll  Replaces a COM object in the registry © 2014 Monterey Technology Group Inc.
    9. 9. Backdoor persisitence  Objframe.dll activated in every application that uses the hijacked COM object  Primary targetWindows Explorer – perfect  Loads in the hijacked class DLL  Erases itself from the processes module list  Loads another system DLL not used by current process  Then overwrites contents off that DLL in memory with itself  But leaves the module list alone  Disguising its presence  Would have to compare actual memory contents of library to the file on disk © 2014 Monterey Technology Group Inc.
    10. 10. Communication withC&C Servers  Now watches for calls to start IE, Chrome or Firefox  Injects itself into the browser  AllC&C communication through the browser  Evade local firewalls  Communicates with C&C servers via http/https GET and POST verbs  C&C server sends back commands  Upload  Execute  System report  Etc © 2014 Monterey Technology Group Inc.
    11. 11. SGH module  Even more sophisticated  Careto and SGH can install each other  SGH runs in Kernel mode  Extensible modules include  Skype  Keylogger  File content  Network traffic  Skype  Screenshots  Email messages © 2014 Monterey Technology Group Inc.
    12. 12. How could Careto have been defeated? Spearfishing email Malicious URL Java/Flash Exploit Malware executables installed DLL injected Phone home Awareness training Spearfishing Clicking yes on updatesand warnings Web filtering Patching Application Control Memory protection Next Gen Network Protection © 2014 Monterey Technology Group Inc.
    13. 13. How do you prevent malware like this?
    14. 14. Additional Information Free Security Scanner Tools  Application Scanner – discover all the apps being used in your network  Device Scanner – discover all the devices being used in your network premium-security-tools.aspx Reports  Whitepaper “The State of APT Preparedness” from UBM Tech at WhitePapers/The-State-of-APT-Preparedness  On-Demand Webcast “Top 9 Mistakes of APT Victims” by Ultimate Windows Security at Webcasts/Top-9-Mistakes-of-APT-Victims Free Trial (virtual or download) management-security-suite/free-trial.aspx
    15. 15. Additional Information