Successfully reported this slideshow.
Your SlideShare is downloading. ×

Modern Reconnaissance Phase on APT - protection layer

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Loading in …3
×

Check these out next

1 of 74 Ad

Modern Reconnaissance Phase on APT - protection layer

Download to read offline

This presentation will show how APT actors are evolving and how the reconnaissance phase is changing to protect their valuable 0-day exploit or malware frameworks. This talk will mainly focus on the usage of Office documents and watering hole attacks designed to establish if the target is the intended one (we will mention campaigns against political or military organizations). The techniques and the obfuscation put in place by these actors will be described in detail (techniques based on Macro, JavaScript, PowerShell, Flash or Python). At the end of the presentation, we will show different mitigations to help attendees protect their users.

This presentation will show how APT actors are evolving and how the reconnaissance phase is changing to protect their valuable 0-day exploit or malware frameworks. This talk will mainly focus on the usage of Office documents and watering hole attacks designed to establish if the target is the intended one (we will mention campaigns against political or military organizations). The techniques and the obfuscation put in place by these actors will be described in detail (techniques based on Macro, JavaScript, PowerShell, Flash or Python). At the end of the presentation, we will show different mitigations to help attendees protect their users.

Advertisement
Advertisement

More Related Content

Slideshows for you (20)

Similar to Modern Reconnaissance Phase on APT - protection layer (20)

Advertisement

More from Shakacon (20)

Recently uploaded (20)

Advertisement

Modern Reconnaissance Phase on APT - protection layer

  1. 1. Modern reconnaissance phase by APT – protection layer
  2. 2. whoami • Paul Rascagneres – prascagn@cisco.com // @r00tbsd • Security Researcher at Cisco Talos • Malware & APT hunter for more than 7 years… • Co-Organizer of Botconf, the CFP is still opened ;-) https://www.botconf.eu/botconf-2017/call-for-papers-2017/
  3. 3. whoami • Warren Mercer – wamercer@cisco.com // @SecurityBeard • Security Researcher at Cisco Talos • I like looking at malware and finding it J • NetSec, Malware Analysis, Threat Intelligence. • Co-Founder of BSides Belfast, don’t go to France, come to Northern Ireland instead! https://www.bsidesbelfast.org
  4. 4. Agenda • Infection vector: reconnaissance evolution • 5 case studies • Maybe the beginning… • Mitigations • Conclusion • Technical bonus ( if nobody asks questions :P )
  5. 5. Infection vector: reconnaissance evolution
  6. 6. Infection vector: reconnaissance evolution • Why this presentation? • Few issues for APT actors: • Sandbox systems • Automatic analysis of malicious documents • Valuable code for APT actors: • Complex RAT framework • 0-day • Evolution: the infection vectors include mechanisms to avoid leaking 0-day, complex RAT framework or any valuable code to malware researchers/security companies
  7. 7. Case Study 1 - NATO
  8. 8. Case Study 1 • SHA256: ffd5bd7548ab35c97841c31cf83ad2ea5ec02c741560317fc9602a49ce36a763 • Filename: NATO secretary meeting.doc Matryoshka doll – Reconnaissance Framework
  9. 9. Case Study 1 • RTF document with a succession of embedded objects
  10. 10. Case Study 1 • First step: Reconnaissance via a first Flash object: A=t&SA=t&SV=t&EV=t&MP3=t&AE=t&VE=t&ACC=f&PR=t&SP=t&SB=f &DEB=t&V=WIN%209%2C0%2C0%2C0&M=Adobe%20Windows&R=16 00x1200&DP=72&COL=color&AR=1.0&OS=Windows%20XP&L=en&PT =ActiveX&AVD=f&LFD=f&WD=f&IME=t&DD=f&DDP=f&DTS=f&DTE=f &DTH=f&DTM=f HTTP request to the C&C (*note the /nato) Flash in ActiveX object Windows versionFlash version
  11. 11. Case Study 1 • Second step: if the collected data is good for the operator: Downloading of the Payload & Flash Exploit • if not: end of chain :’(
  12. 12. Case Study 1 • Third step: Flash loading and exploitation & payload execution On the fly Flash loading Shellcode variable
  13. 13. Case Study 1 • Cisco Umbrella helped us to identify DNS traffic associated with this C&C. The huge quantity of requests starting the 16th of January was performed by the security research community:
  14. 14. Case Study 2 – Dina Bosio
  15. 15. Case Study 2 • SHA256: 2299ff9c7e5995333691f3e68373ebbb036aa619acd61cbea6c5210490699bb6 • Filename: National Day Reception (Dina Mersine Bosio Ambassador’s Secretary).doc
  16. 16. • Macro Beginning of the encoded next stage JavaScript stage RC4 key in argument to the JavaScript stage Ca se S t ud y 2
  17. 17. • JavaScript Base64 function RC4 function Ca se S t ud y 2
  18. 18. Case Study 2 • Final payload Systeminfo net view net view /domain tasklist /v gpresult /z netstat -nao ipconfig /all arp -a net share | net use | net user net user administrator net user /domain net user administrator /domain set dir %systemdrive%Users*.* dir %userprofile%AppDataRoamingMicrosoftWindowsRecent*.* dir %userprofile%Desktop*.* tasklist /fi modules eq wow64.dll tasklist /fi modules ne wow64.dll dir %programfiles(x86)% dir %programfiles% dir %appdata% CC
  19. 19. Case Study 2 • Data sent to 2 compromised websites • If the data is good for the attacker, a PE32 file is download and executed (MailForm.pif) • If not: no final payload :’(
  20. 20. Case Study 3 – Survey Time!
  21. 21. Case Study 3 • SHA256: eb1f47c9f71d3fd2ff744a9454c256bf3248921fbcbadf0a80d5e73a0c6a82de • Filename: survey.xls
  22. 22. Case Study 3 • Macro • Creation of a VBS to execute a PowerShell Execution with a Schedule Task… No CreateProcess()
  23. 23. Case Study 3 CC
  24. 24. Case Study 3 • A batch file is downloaded from the C&C in order to collect information about the target system: • If the collected data is sufficient for the attacker a RAT is downloaded, if not: no final payload
  25. 25. Case Study 4 – Korean New Year
  26. 26. Case Study 4 • SHA256: 281828d6f5bd377f91c6283c34896d0483b08ac2167d34e981fbea871893c919 • Filename: 5170101-17년_북한_신년사_분석.hwp (5170101-17 __ North Korea _ New Year _ analysis .hwp)
  27. 27. Case Study 4 • Hangul Word Processor • A HWP document allegedly written by Korean Ministry of Unification • The document contains links to 2 OLE objects
  28. 28. Case Study 4 • The OLE objects drop 2 executables C:UsersADMINI~1AppDataLocalTempHwp (2).exe C:UsersADMINI~1AppDataLocalTempHwp (3).exe
  29. 29. Case Study 4 • First step : open a decoy document
  30. 30. Case Study 4 • Second step: collect information about the target - Computer name - Username - Execution path - BIOS Model (HKLMSystemCurrentControlSetServicesmssmbi osDataSMBiosData) • Purpose: to determine if target is suitable for attack
  31. 31. Case Study 4 • Example request (PCAP available on VirusTotal) Decoded data: 0F37555F#0#0#0#TEQUILABOOMBOOM#janetted oe#C:4b20883386665bd205ac50f34f7b6293747f d720d602e2bb3c270837a21291b4#innotek GmbH VirtualBox 1.2 Hostname username Execution path BIOS model
  32. 32. Case Study 4 • Third step: if the collected data is sufficient for the attacker: download & execute the final payload, if not: no payload (.jpg file) • The command & control is a compromised Korean governmental website: Korean Government Legal Service - www.kgls.or.kr/news2/news_dir/index.php (where the collected information is sent) - www.kgls.or.kr/news2/news_dir/02BC6B26_put.jpg (where 02BC6B26 is a random ID)
  33. 33. Global mapGlobal map
  34. 34. Case Study 5 - ROKRAT
  35. 35. Case Study 5 • From the official email contact of Korea Global Forum • Compromised & abused email • Email asking to complete attached document
  36. 36. Case Study 5 • Email asking for help from someone in North Korea • Attacker works on empathy
  37. 37. Case Study 5
  38. 38. Case Study 5 • EPS Object embedded within HWP document. • ZLIB Compression (Default with Hangul) • EPS Document is where the magic was, by magic, we mean exploit !
  39. 39. Case Study 5 • Extracted EPS object reveals the exploit • CVE-2013-0808 exploit used which is an EPS based overflow • Shellcode directly embedded in the EPS, using a NOP Sled (0x04) http://acddesigns[.]com[.]au/clients/ACPRCM/kingstone.jpg http://discgolfglow[.]com:/wp-content/plugins/maintenance/images/worker.jpg
  40. 40. Case Study 5 • Analysis Frustrations! This can complicated analysis and make it harder! Infinite loop of sleep on Windows XP or Windows Server 2003
  41. 41. Case Study 5 • Doh! More anti-analysis techniques used! Control of the running process to detect analysis tools • "mtool" for VMWare Tools • "llyd" for OllyDBG • "ython" for Python (Cuckoo Sandbox for example) • "ilemo" for File Monitor • "egmon" for Registry Monitor • "peid" for PEiD • "rocex" for Process Explorer • "vbox" for VirtualBox • "iddler" for Fiddler • "ortmo" for Portmon • "iresha" for Wireshark • "rocmo" for Process Monitor • "utoru" for Autoruns • "cpvie" for TCPView
  42. 42. Case Study 5 • Beginning to get annoying now… Right? Fake IOCs in analysis tools or sandbox, trying to confuse you! https://www[.]amazon[.]com/Men-War-PC/dp/B001QZGVEC/EsoftTeam/watchcom.jpg http://www[.]hulu[.]com/watch/559035/episode3.mp4
  43. 43. Case Study 5 • C&C Infrastructure, used for controlling compromised assets, ROKRAT brought their A Game. • CC #1: Twitter used • Traffic analysis can be difficult • Used 7 different hardcoded Twitter API Tokens for C2 • Used Update, Tweet & Search API functions
  44. 44. Case Study 5 • File exfiltration can be hard, normally. • CC #2: Yandex (Cloud storage platform) • Used for file/document exfiltration • Using API functionality again, this time 4 tokens identified • Performed over HTTPS
  45. 45. Case Study 5 • More file exfiltration! • CC #3: Mediafire (Cloud Platform) • Additional mechanism for file/document exfiltration • Single API token identified, again hard coded • HTTPS, again!
  46. 46. Case Study 5 • File/Document exfiltration was complimented, why not have everything? • Attacker implemented screen shot & key logging functionality.
  47. 47. Case Study Summary • Users. Users. Users. Users. Users. Users. Users. Users. • They’re the weak target in every case study. • Spear Phishing is a favoured method of infection through all, this results in small campaigns and less arousal of suspicion. • Innovation attempts to keep their exploits and capabilities private. • Target / Asset information collection – ensure their exploits are not wasted.
  48. 48. Maybe the beginning…
  49. 49. Maybe the beginning • No APT tools but could inspire some actors…. • MS Publisher documents • “Unlike other applications within the Microsoft Office suite, Microsoft Publisher does not support a 'Protected View' mode. This is a read only mode which can help end users remain protected from malicious document files. Microsoft Publisher is included and installed by default in Office 365.” • => http://blog.talosintelligence.com/2017/02/pony-pub-files.html
  50. 50. Maybe the beginning • No APT tools but could inspire some actors…. • “Yay! I use MacOS… I’m saved !! “ • Interesting sample: • sha256: 40c414fd75de6def664b3e953313125fc5e05628b6a2e07ded7634dc4f884666
  51. 51. Maybe the beginning • No APT tools but could inspired some actors…. • “Yay! I use MacOS… I’m saved !! “
  52. 52. Maybe the beginning macshell() + Python script ;)
  53. 53. Mitigations
  54. 54. Mitigations • Office Macro: • Disable Macro execution • New feature in Office 2016: https://blogs.technet.microsoft.com/mmpc/2016/03/22/new- feature-in-office-2016-can-block-macros-and-help-prevent- infection/ • PowerShell: • To restrict Execution Policy • Set-ExecutionPolicy -ExecutionPolicy Restricted
  55. 55. Mitigations • JavaScript / Wscript • To disable WSH • HKEY_LOCAL_MACHINESoftwareMicrosoftWindows Script HostSettingsEnabled => REG_DWORD = 0 • More generally • Keep your software up to date… • AppLocker (correctly configured!!! Don’t forget dll loading) • Device Guard / VBS
  56. 56. Mitigations • Monitoring of the usage of scripting languages • MacOS mitigations… • For Microsoft Office, see previous slides • For script control… … … no method
  57. 57. Conclusion
  58. 58. Conclusion • APT actors put more and more efforts to protect valuable code by performing reconnaissance before the final payload execution • In the near future: • more controls of the target’s relevance • CC used for reconnaissance alive for only few hours/days • 0-day & advanced RAT framework are expensive, the bad guys will improve the way to deliver its on the real targets (memory only/fileless/…) • New difficulties for malware researchers: without the last stage and the final payload, the investigations will be complicated and incomplete
  59. 59. Conclusion • Scripting languages on Windows are really trendy for APT campaigns: • PowerShell • JavaScript • Batch • … • These languages are native, embedded in Windows and powerful • Obfuscation is included almost « by design » for these languages • Monitoring is mandatory
  60. 60. Conclusion • If that target was already compromised in the past, the identification of the relevance is easier: • Is the domain name known from the previous compromise? • Is the OS version known from the previous compromise? • Is the network setup known from the previous compromise? • Is the available account setup known from the previous compromise? • … • In this context, bad guys know your internal infrastructure…
  61. 61. Technical Bonus
  62. 62. Technical Bonus
  63. 63. Technical Bonus • Powershell is an unmissable tool for malware developers… • How to automate Powershell analysis ? • Can we debug Powershell scripts with WinDBG ? YES we can
  64. 64. Technical Bonus We are here: cdb is the CLI
  65. 65. Technical Bonus • Usage of unmanaged code (for example dllimport) • Standard WinDBG breakpoint => bp kernelbase!VirtualAlloc • No specific WinDBG tricks, debug “as usual”
  66. 66. Technical Bonus • Usage of managed code == .NET framework 0:011> .loadby sos clr 0:011> !bpmd system.dll System.Diagnostics.Process.Start Found 6 methods in module 00007fff97581000... breakpoint: bp 00007FFF977C96D9 [System.Diagnostics.Process.Start(System. breakpoint: bp 00007FFF97E8057D [System.Diagnostics.Process.Start(System. breakpoint: bp 00007FFF97E80539 [System.Diagnostics.Process.Start(System. breakpoint: bp 00007FFF97E804B6 [System.Diagnostics.Process.Start(System. breakpoint: bp 00007FFF97E80436 [System.Diagnostics.Process.Start(System. System.String, breakpoint: bp 00007FFF977C72DA [System.Diagnostics.Proces Adding pending breakpoints... • SOS for .NET analysis + breakpoint
  67. 67. Technical Bonus • Usage of managed code == .NET framework Breakpoint 0 hit System_ni+0x2496d9: 00007fff`977c96d9 488d0d08711e00 lea rcx,[System_ni+0x4307e8 (00007fff`979b07e8)] 0:008> !CLRStack -p OS Thread Id: 0x2d34 (8) Child SP IP Call Site 000000a7f9ace700 00007fff977c96d9 System.Diagnostics.Process.Start(System.Diagnostics.ProcessStartInfo) PARAMETERS: startInfo (<CLR reg>) = 0x0000028cbd5faa18 • .NET breakpoint & arguments playing
  68. 68. Technical Bonus • Usage of managed code == .NET framework 0:008> !DumpObj /d 0000028cbd5faa18 Name: System.Diagnostics.ProcessStartInfo MethodTable: 00007fff979ae380 EEClass: 00007fff975e29f0 Size: 144(0x90) bytes File: C:WINDOWSMicrosoft.NetassemblyGAC_MSILSystemv4.0_4.0.0.0__b77a5c561934e089System.dll Fields: MT Field Offset Type VT Attr Value Name 00007fff9897de98 40027f3 8 System.String 0 instance 0000028cbd5fde18 fileName 00007fff9897de98 40027f4 10 System.String 0 instance 0000000000000000 arguments [...redacted...] 00007fff9897ad70 4002806 58 System.WeakReference 0 instance 0000000000 weakParentProces 00007fff979af0a0 4002807 60 ....StringDictionary 0 instance 000000 environmentVariables 00007fff982e5ec0 4002808 68 ...tring, mscorlib]] 0 instance 0000000000000 environment • .NET breakpoint & arguments playing
  69. 69. Technical Bonus • Usage of managed code == .NET framework 0:008> !DumpObj /d 0000028cbd5fde18 Name: System.String MethodTable: 00007fff9897de98 EEClass: 00007fff982d35f0 Size: 88(0x58) bytes File: C:WINDOWSMicrosoft.NetassemblyGAC_64mscorlibv4.0_4.0.0.0__b77a5c56 1934e089mscorlib.dll String: C:WINDOWSsystem32notepad.exe • .NET breakpoint & arguments playing
  70. 70. Technical Bonus • Usage of managed code == .NET framework 0:008> dp rcx+8 L1 0000028c`bd5faa20 0000028c`bd5fde18 0:008> du 0000028c`bd5fde18+0xC 0000028c`bd5fde24 "C:WINDOWSsystem32notepad.exe" • For geeks directly in RCX
  71. 71. Technical Bonus • Usage of managed code == .NET framework 0:011> .loadby sos clr 0:008> !bpmd system.dll System.Net.WebClient.DownloadFile Found 2 methods in module 00007fff97581000... MethodDesc = 00007fff976c1fe8 MethodDesc = 00007fff976c1ff8 Setting breakpoint: bp 00007FFF97DCAE0C [System.Net.WebClient.DownloadFile(System.Uri, System.String)] Setting breakpoint: bp 00007FFF97DCADBC [System.Net.WebClient.DownloadFile(System.String, System.String)] Adding pending breakpoints... • SOS for .NET analysis + breakpoint
  72. 72. Technical Bonus • Usage of managed code == .NET framework Breakpoint 7 hit System_ni+0x84adbc: 00007fff`97dcadbc 4885d2 test rdx,rdx • SOS for .NET analysis + breakpoint
  73. 73. Technical Bonus • Usage of managed code == .NET framework 0:008> du rdx+c 0000028c`bd53f13c "http://blog.talosintelligence.co" 0000028c`bd53f17c "m/" 0:008> du r8+c 0000028c`bd53f3b4 "c:usersluciferdesktopdemo.tx" 0000028c`bd53f3f4 "t" • SOS for .NET analysis + breakpoint
  74. 74. www.talosintelligence.com blog.talosintel.com @talossecurity @r00tbsd @SecurityBeard

×