Modern Reconnaissance Phase on APT - protection layer

1. Modern reconnaissance phase by APT – protection layer

2. whoami • Paul Rascagneres – prascagn@cisco.com // @r00tbsd • Security Researcher at Cisco Talos • Malware & APT hunter for more than 7 years… • Co-Organizer of Botconf, the CFP is still opened ;-) https://www.botconf.eu/botconf-2017/call-for-papers-2017/

3. whoami • Warren Mercer – wamercer@cisco.com // @SecurityBeard • Security Researcher at Cisco Talos • I like looking at malware and finding it J • NetSec, Malware Analysis, Threat Intelligence. • Co-Founder of BSides Belfast, don’t go to France, come to Northern Ireland instead! https://www.bsidesbelfast.org

4. Agenda • Infection vector: reconnaissance evolution • 5 case studies • Maybe the beginning… • Mitigations • Conclusion • Technical bonus ( if nobody asks questions :P )

5. Infection vector: reconnaissance evolution

6. Infection vector: reconnaissance evolution • Why this presentation? • Few issues for APT actors: • Sandbox systems • Automatic analysis of malicious documents • Valuable code for APT actors: • Complex RAT framework • 0-day • Evolution: the infection vectors include mechanisms to avoid leaking 0-day, complex RAT framework or any valuable code to malware researchers/security companies

7. Case Study 1 - NATO

8. Case Study 1 • SHA256: ffd5bd7548ab35c97841c31cf83ad2ea5ec02c741560317fc9602a49ce36a763 • Filename: NATO secretary meeting.doc Matryoshka doll – Reconnaissance Framework

9. Case Study 1 • RTF document with a succession of embedded objects

10. Case Study 1 • First step: Reconnaissance via a first Flash object: A=t&SA=t&SV=t&EV=t&MP3=t&AE=t&VE=t&ACC=f&PR=t&SP=t&SB=f &DEB=t&V=WIN%209%2C0%2C0%2C0&M=Adobe%20Windows&R=16 00x1200&DP=72&COL=color&AR=1.0&OS=Windows%20XP&L=en&PT =ActiveX&AVD=f&LFD=f&WD=f&IME=t&DD=f&DDP=f&DTS=f&DTE=f &DTH=f&DTM=f HTTP request to the C&C (*note the /nato) Flash in ActiveX object Windows versionFlash version

11. Case Study 1 • Second step: if the collected data is good for the operator: Downloading of the Payload & Flash Exploit • if not: end of chain :’(

12. Case Study 1 • Third step: Flash loading and exploitation & payload execution On the fly Flash loading Shellcode variable

13. Case Study 1 • Cisco Umbrella helped us to identify DNS traffic associated with this C&C. The huge quantity of requests starting the 16th of January was performed by the security research community:

14. Case Study 2 – Dina Bosio

15. Case Study 2 • SHA256: 2299ff9c7e5995333691f3e68373ebbb036aa619acd61cbea6c5210490699bb6 • Filename: National Day Reception (Dina Mersine Bosio Ambassador’s Secretary).doc

16. • Macro Beginning of the encoded next stage JavaScript stage RC4 key in argument to the JavaScript stage Ca se S t ud y 2

17. • JavaScript Base64 function RC4 function Ca se S t ud y 2

18. Case Study 2 • Final payload Systeminfo net view net view /domain tasklist /v gpresult /z netstat -nao ipconfig /all arp -a net share | net use | net user net user administrator net user /domain net user administrator /domain set dir %systemdrive%Users*.* dir %userprofile%AppDataRoamingMicrosoftWindowsRecent*.* dir %userprofile%Desktop*.* tasklist /fi modules eq wow64.dll tasklist /fi modules ne wow64.dll dir %programfiles(x86)% dir %programfiles% dir %appdata% CC

19. Case Study 2 • Data sent to 2 compromised websites • If the data is good for the attacker, a PE32 file is download and executed (MailForm.pif) • If not: no final payload :’(

20. Case Study 3 – Survey Time!

21. Case Study 3 • SHA256: eb1f47c9f71d3fd2ff744a9454c256bf3248921fbcbadf0a80d5e73a0c6a82de • Filename: survey.xls

22. Case Study 3 • Macro • Creation of a VBS to execute a PowerShell Execution with a Schedule Task… No CreateProcess()

23. Case Study 3 CC

24. Case Study 3 • A batch file is downloaded from the C&C in order to collect information about the target system: • If the collected data is sufficient for the attacker a RAT is downloaded, if not: no final payload

25. Case Study 4 – Korean New Year

26. Case Study 4 • SHA256: 281828d6f5bd377f91c6283c34896d0483b08ac2167d34e981fbea871893c919 • Filename: 5170101-17년_북한_신년사_분석.hwp (5170101-17 __ North Korea _ New Year _ analysis .hwp)

27. Case Study 4 • Hangul Word Processor • A HWP document allegedly written by Korean Ministry of Unification • The document contains links to 2 OLE objects

28. Case Study 4 • The OLE objects drop 2 executables C:UsersADMINI~1AppDataLocalTempHwp (2).exe C:UsersADMINI~1AppDataLocalTempHwp (3).exe

29. Case Study 4 • First step : open a decoy document

30. Case Study 4 • Second step: collect information about the target - Computer name - Username - Execution path - BIOS Model (HKLMSystemCurrentControlSetServicesmssmbi osDataSMBiosData) • Purpose: to determine if target is suitable for attack

31. Case Study 4 • Example request (PCAP available on VirusTotal) Decoded data: 0F37555F#0#0#0#TEQUILABOOMBOOM#janetted oe#C:4b20883386665bd205ac50f34f7b6293747f d720d602e2bb3c270837a21291b4#innotek GmbH VirtualBox 1.2 Hostname username Execution path BIOS model

32. Case Study 4 • Third step: if the collected data is sufficient for the attacker: download & execute the final payload, if not: no payload (.jpg file) • The command & control is a compromised Korean governmental website: Korean Government Legal Service - www.kgls.or.kr/news2/news_dir/index.php (where the collected information is sent) - www.kgls.or.kr/news2/news_dir/02BC6B26_put.jpg (where 02BC6B26 is a random ID)

33. Global mapGlobal map

34. Case Study 5 - ROKRAT

35. Case Study 5 • From the official email contact of Korea Global Forum • Compromised & abused email • Email asking to complete attached document

36. Case Study 5 • Email asking for help from someone in North Korea • Attacker works on empathy

37. Case Study 5

38. Case Study 5 • EPS Object embedded within HWP document. • ZLIB Compression (Default with Hangul) • EPS Document is where the magic was, by magic, we mean exploit !

39. Case Study 5 • Extracted EPS object reveals the exploit • CVE-2013-0808 exploit used which is an EPS based overflow • Shellcode directly embedded in the EPS, using a NOP Sled (0x04) http://acddesigns[.]com[.]au/clients/ACPRCM/kingstone.jpg http://discgolfglow[.]com:/wp-content/plugins/maintenance/images/worker.jpg

40. Case Study 5 • Analysis Frustrations! This can complicated analysis and make it harder! Infinite loop of sleep on Windows XP or Windows Server 2003

41. Case Study 5 • Doh! More anti-analysis techniques used! Control of the running process to detect analysis tools • "mtool" for VMWare Tools • "llyd" for OllyDBG • "ython" for Python (Cuckoo Sandbox for example) • "ilemo" for File Monitor • "egmon" for Registry Monitor • "peid" for PEiD • "rocex" for Process Explorer • "vbox" for VirtualBox • "iddler" for Fiddler • "ortmo" for Portmon • "iresha" for Wireshark • "rocmo" for Process Monitor • "utoru" for Autoruns • "cpvie" for TCPView

42. Case Study 5 • Beginning to get annoying now… Right? Fake IOCs in analysis tools or sandbox, trying to confuse you! https://www[.]amazon[.]com/Men-War-PC/dp/B001QZGVEC/EsoftTeam/watchcom.jpg http://www[.]hulu[.]com/watch/559035/episode3.mp4

43. Case Study 5 • C&C Infrastructure, used for controlling compromised assets, ROKRAT brought their A Game. • CC #1: Twitter used • Traffic analysis can be difficult • Used 7 different hardcoded Twitter API Tokens for C2 • Used Update, Tweet & Search API functions

44. Case Study 5 • File exfiltration can be hard, normally. • CC #2: Yandex (Cloud storage platform) • Used for file/document exfiltration • Using API functionality again, this time 4 tokens identified • Performed over HTTPS

45. Case Study 5 • More file exfiltration! • CC #3: Mediafire (Cloud Platform) • Additional mechanism for file/document exfiltration • Single API token identified, again hard coded • HTTPS, again!

46. Case Study 5 • File/Document exfiltration was complimented, why not have everything? • Attacker implemented screen shot & key logging functionality.

47. Case Study Summary • Users. Users. Users. Users. Users. Users. Users. Users. • They’re the weak target in every case study. • Spear Phishing is a favoured method of infection through all, this results in small campaigns and less arousal of suspicion. • Innovation attempts to keep their exploits and capabilities private. • Target / Asset information collection – ensure their exploits are not wasted.

48. Maybe the beginning…

49. Maybe the beginning • No APT tools but could inspire some actors…. • MS Publisher documents • “Unlike other applications within the Microsoft Office suite, Microsoft Publisher does not support a 'Protected View' mode. This is a read only mode which can help end users remain protected from malicious document files. Microsoft Publisher is included and installed by default in Office 365.” • => http://blog.talosintelligence.com/2017/02/pony-pub-files.html

50. Maybe the beginning • No APT tools but could inspire some actors…. • “Yay! I use MacOS… I’m saved !! “ • Interesting sample: • sha256: 40c414fd75de6def664b3e953313125fc5e05628b6a2e07ded7634dc4f884666

51. Maybe the beginning • No APT tools but could inspired some actors…. • “Yay! I use MacOS… I’m saved !! “

52. Maybe the beginning macshell() + Python script ;)

53. Mitigations

54. Mitigations • Office Macro: • Disable Macro execution • New feature in Office 2016: https://blogs.technet.microsoft.com/mmpc/2016/03/22/new- feature-in-office-2016-can-block-macros-and-help-prevent- infection/ • PowerShell: • To restrict Execution Policy • Set-ExecutionPolicy -ExecutionPolicy Restricted

55. Mitigations • JavaScript / Wscript • To disable WSH • HKEY_LOCAL_MACHINESoftwareMicrosoftWindows Script HostSettingsEnabled => REG_DWORD = 0 • More generally • Keep your software up to date… • AppLocker (correctly configured!!! Don’t forget dll loading) • Device Guard / VBS

56. Mitigations • Monitoring of the usage of scripting languages • MacOS mitigations… • For Microsoft Office, see previous slides • For script control… … … no method

57. Conclusion

58. Conclusion • APT actors put more and more efforts to protect valuable code by performing reconnaissance before the final payload execution • In the near future: • more controls of the target’s relevance • CC used for reconnaissance alive for only few hours/days • 0-day & advanced RAT framework are expensive, the bad guys will improve the way to deliver its on the real targets (memory only/fileless/…) • New difficulties for malware researchers: without the last stage and the final payload, the investigations will be complicated and incomplete

59. Conclusion • Scripting languages on Windows are really trendy for APT campaigns: • PowerShell • JavaScript • Batch • … • These languages are native, embedded in Windows and powerful • Obfuscation is included almost « by design » for these languages • Monitoring is mandatory

60. Conclusion • If that target was already compromised in the past, the identification of the relevance is easier: • Is the domain name known from the previous compromise? • Is the OS version known from the previous compromise? • Is the network setup known from the previous compromise? • Is the available account setup known from the previous compromise? • … • In this context, bad guys know your internal infrastructure…

61. Technical Bonus

62. Technical Bonus

63. Technical Bonus • Powershell is an unmissable tool for malware developers… • How to automate Powershell analysis ? • Can we debug Powershell scripts with WinDBG ? YES we can

64. Technical Bonus We are here: cdb is the CLI

65. Technical Bonus • Usage of unmanaged code (for example dllimport) • Standard WinDBG breakpoint => bp kernelbase!VirtualAlloc • No specific WinDBG tricks, debug “as usual”

66. Technical Bonus • Usage of managed code == .NET framework 0:011> .loadby sos clr 0:011> !bpmd system.dll System.Diagnostics.Process.Start Found 6 methods in module 00007fff97581000... breakpoint: bp 00007FFF977C96D9 [System.Diagnostics.Process.Start(System. breakpoint: bp 00007FFF97E8057D [System.Diagnostics.Process.Start(System. breakpoint: bp 00007FFF97E80539 [System.Diagnostics.Process.Start(System. breakpoint: bp 00007FFF97E804B6 [System.Diagnostics.Process.Start(System. breakpoint: bp 00007FFF97E80436 [System.Diagnostics.Process.Start(System. System.String, breakpoint: bp 00007FFF977C72DA [System.Diagnostics.Proces Adding pending breakpoints... • SOS for .NET analysis + breakpoint

67. Technical Bonus • Usage of managed code == .NET framework Breakpoint 0 hit System_ni+0x2496d9: 00007fff`977c96d9 488d0d08711e00 lea rcx,[System_ni+0x4307e8 (00007fff`979b07e8)] 0:008> !CLRStack -p OS Thread Id: 0x2d34 (8) Child SP IP Call Site 000000a7f9ace700 00007fff977c96d9 System.Diagnostics.Process.Start(System.Diagnostics.ProcessStartInfo) PARAMETERS: startInfo (<CLR reg>) = 0x0000028cbd5faa18 • .NET breakpoint & arguments playing

68. Technical Bonus • Usage of managed code == .NET framework 0:008> !DumpObj /d 0000028cbd5faa18 Name: System.Diagnostics.ProcessStartInfo MethodTable: 00007fff979ae380 EEClass: 00007fff975e29f0 Size: 144(0x90) bytes File: C:WINDOWSMicrosoft.NetassemblyGAC_MSILSystemv4.0_4.0.0.0__b77a5c561934e089System.dll Fields: MT Field Offset Type VT Attr Value Name 00007fff9897de98 40027f3 8 System.String 0 instance 0000028cbd5fde18 fileName 00007fff9897de98 40027f4 10 System.String 0 instance 0000000000000000 arguments [...redacted...] 00007fff9897ad70 4002806 58 System.WeakReference 0 instance 0000000000 weakParentProces 00007fff979af0a0 4002807 60 ....StringDictionary 0 instance 000000 environmentVariables 00007fff982e5ec0 4002808 68 ...tring, mscorlib]] 0 instance 0000000000000 environment • .NET breakpoint & arguments playing

69. Technical Bonus • Usage of managed code == .NET framework 0:008> !DumpObj /d 0000028cbd5fde18 Name: System.String MethodTable: 00007fff9897de98 EEClass: 00007fff982d35f0 Size: 88(0x58) bytes File: C:WINDOWSMicrosoft.NetassemblyGAC_64mscorlibv4.0_4.0.0.0__b77a5c56 1934e089mscorlib.dll String: C:WINDOWSsystem32notepad.exe • .NET breakpoint & arguments playing

70. Technical Bonus • Usage of managed code == .NET framework 0:008> dp rcx+8 L1 0000028c`bd5faa20 0000028c`bd5fde18 0:008> du 0000028c`bd5fde18+0xC 0000028c`bd5fde24 "C:WINDOWSsystem32notepad.exe" • For geeks directly in RCX

71. Technical Bonus • Usage of managed code == .NET framework 0:011> .loadby sos clr 0:008> !bpmd system.dll System.Net.WebClient.DownloadFile Found 2 methods in module 00007fff97581000... MethodDesc = 00007fff976c1fe8 MethodDesc = 00007fff976c1ff8 Setting breakpoint: bp 00007FFF97DCAE0C [System.Net.WebClient.DownloadFile(System.Uri, System.String)] Setting breakpoint: bp 00007FFF97DCADBC [System.Net.WebClient.DownloadFile(System.String, System.String)] Adding pending breakpoints... • SOS for .NET analysis + breakpoint

72. Technical Bonus • Usage of managed code == .NET framework Breakpoint 7 hit System_ni+0x84adbc: 00007fff`97dcadbc 4885d2 test rdx,rdx • SOS for .NET analysis + breakpoint

73. Technical Bonus • Usage of managed code == .NET framework 0:008> du rdx+c 0000028c`bd53f13c "http://blog.talosintelligence.co" 0000028c`bd53f17c "m/" 0:008> du r8+c 0000028c`bd53f3b4 "c:usersluciferdesktopdemo.tx" 0000028c`bd53f3f4 "t" • SOS for .NET analysis + breakpoint

74. www.talosintelligence.com blog.talosintel.com @talossecurity @r00tbsd @SecurityBeard

Modern Reconnaissance Phase on APT - protection layer

You are reading a preview.

Check these out next

Modern Reconnaissance Phase on APT - protection layer

More Related Content

Slideshows for you (20)

Similar to Modern Reconnaissance Phase on APT - protection layer (20)

More from Shakacon (20)

Recently uploaded (20)