42 - Malware - Understand the Threat and How to Respond

Malware
Understanding the Malware Threat and How to Respond
Jean-Pierre LESUEUR
Full Stack Developer x IT Security Researcher
Thomas ROCCIA
Security Researcher, Advanced Threat Research at McAfee
@DarkCoderSc @fr0gger_

Malware Agenda
#1 What is a Malware?
# Malware Definition
# Malware Economy
# Malware Attribution
#2 Malware Techniques
# Infection Vectors
# Persistence
# Privilege escalation
# Evasion Techniques
# C&C
#3 Malware Analysis
# Static Analysis
# Dynamic Analysis
#4 Usecase Remote Administration Tools (RAT)
# Definition
# Business Model
# Network Architecture
# Network Protocol
# Payload Configuration
#5 Conclusion

What is a Malware?
Malware Introduction to Malware – Focus on Remote Administration Tool Family
An introduction to Malicious Software
Malware

Different families of Malware
Virus, Worm
Dropper, File Binder / Wrapper / Crypter, Downloader
Trojan Backdoor
Remote Administration Tools (RAT)
HTTP Botnet
Scareware / Rogue
Ransomware
Stealer (Password and/or Files)
Spyware, Adware
CoinMiners
Rootkit / Bootkit
What is a Malware? Malware Families

What is a Malware?
# Who is behind ?
Grey-hat Black-hat
# Who use them and why ?
• Script Kiddies
• Criminal Organizations
• Governments
• Terrorism
• IT Security Researcher
Who and why

What is a Malware? Malware Economy
# Criminals are making money with their creation
# Using it to steal data
# Selling it for other criminals
# Creating business model such as Malware as a Service

# Ransomware as a Service
Source: https://securingtomorrow.mcafee.com/mcafee-labs/free-ransomware-available-dark-web/

# Exploit kits
Source: https://www.mcafee.com/threat-center/threat-landscape-dashboard/

What is a Malware? Malware Attribution
# Malware are developed by Humans
# Many techniques can lead to attribution
# PDB Path
# Strings
# Code comparison
# Tools used
# Operating method
# Timestamp
# Infrastructure reuse

What is a Malware? Malware Attribution
# Malware are developed by Humans
# Many techniques can lead to attribution
# PDB Path
# Strings
# Code comparison
# Tools used
# Operating method
# Timestamp
# Infrastructure reuse
Attribution can be faked!

Malware Techniques
Infection / Evasion / C&C / Privilege Escalation
Malware

Malware Techniques Infection Vectors
Medias
USB keys, CD/DVD, (External) Hard Drives
Social Networks
Facebook, Twitter, Google+, YouTube / Dailymotion, Instagram etc.
Websites
Phishing, Distributed Software, Vulnerabilities (JAVA, Flash, Web-browser)
Exploits
Local Exploits, Remote Exploits, Physical Exploits
Network Sharing
P2P Software (Torrent, Emule), Network file (NAS, FTP)
Email
Phishing, attachment

Malware Techniques Infection Vectors
# Supply Chain Attack
Third Party Infected Download
Trojanised Software
Source: https://www.youtube.com/watch?v=tX0v-rMcuwc

Malware Techniques Persistence
# To survive to reboot Malware need to be persistent on the infected machine.
# Registry RUN keys
# Task Scheduler
# Windows Services
# AppInit_DLL
# COM Hijacking
# Bootkit

# Registry RUN Keys
# Emotet Malware Example
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
HKCUSoftwareMicrosoftWindowsCurrentVersionRun
HKCUSoftwareMicrosoftWindowsCurrentVersionRunOnce
HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun

# Scheduler can be used to run tasks | NotPetya
• at <time> shutdown.exe /r /f
• schtasks /create /SC once /TN “” /TR shutdown.exe /r /f /ST <time>

# Bootkit

Malware Techniques Privilege Escalation
# Malware needs to elevate privilege to perform actions
To access to sensitive data to steal/modify/encrypt…
# Token Manipulation
# Bypass User Access Control (UAC)
# Vulnerability Exploitation
# Hooking
# Dump Credentials
# Many more

# Token Manipulation | Teslacrypt

# UAC Bypass | Operation HoneyBee
cmd /c wusa %TEMP%setup.cab /quiet /extract:%SystemRoot%System32 &&
del /f /q %TEMP%setup.cab && cliconfg.exe cmd /c expand
%TEMP%setup.cab -F:* %SystemRoot%System32 && del /f /q
%TEMP%setup.cab && cliconfg.exe
# The macro extracts the CAB file into %systemroo%system32,
using either wusa.exe or expand.exe (depending on the OS) to
bypass UAC prompts
# Once the files have been extracted, the Visual Basic macro
deletes the CAB file and runs the malicious NTWDBLIB.dll via
cliconfg.exe (to gain privileges and bypass UAC protections)
Source: https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/

# Vulnerability Exploitation | Wannacry - EternalBlue
# EternalBlue Vulnerability from Equation Group (MS17-010) – Kernel Exploit
# Used to spread on the network but also to obtain system privileges
https://www.slideshare.net/ThomasRoccia | https://securingtomorrow.mcafee.com/mcafee-labs/analysis-wannacry-ransomware/

# Credentials Dumping | Olympic Destroyer
http://blog.talosintelligence.com/2018/02/olympic-destroyer.html

Malware Techniques Evasion Techniques
# Malware use Evasion Techniques to avoid detection, analysis
https://www.slideshare.net/ThomasRoccia/malware-evasion-techniques
Packer/Binder/Crypter
Compress/Encrypt, IAT Protect, Code Virtualizing
Process Injection
Process Hollowing, DLL Injection, Process Doppelganging
Sandbox Evasion
VM Artifacts, x86 Instructions, Sleep, Running Process
Anti-Virus Evasion
Disabling AV, file Size, Injection
Obfuscation
Base64, XOR, Encryption, Hash, Custom
Anti-Debugging
Windows API, Timing Check, Debugger Detection
Anti-Forensic
Melting, File-less, Wiper, Removal

# Packers
https://securingtomorrow.mcafee.com/technical-how-to/malware-packers-use-tricks-avoid-analysis-detection/

# Process Hollowing | Zcrypt Ransomware

# Antivirus Detection | Pinkslipbot

# Virtual Machine Detection | Pinkslipbot

# Unprotect Project | Malware Evasion Trick Database
Unprotect.tdgt.org

Malware Techniques Command & Control
# Malware needs to communicate with C&C
# Infected machines controlled by the same C&C are called Botnet
# Malware use C&C to:
# Receive command
# Exfiltrate/download data
# Get encryption key (Ransomware) or
interact to pay the ransom
Matthew Andrews/Getty Images/Hemera

# Fast-Flux communication
# One domain has multiple IP addresses
# Every 3 min or more, host is pointing to
another computer
# Infected machines can serve of proxy
https://commons.wikimedia.org/wiki/File:Single_und_double_flux.png

# Domain Generation Algorithm
# Connexion to multiple domains
# Lot of domain can be generated by the
sample
# Attackers can activate one of several
servers to allow communication
# Conficker worm used this technique
https://www.senet-int.com/blog/2013/09/malware-domain-generation-algorithm-dga

Malware Techniques More Information
# Mitre ATT&CK Matrix | https://attack.mitre.org

Malware Analysis
Process, Techniques, Tools
Malware

• Packed?
• Encrypted?
• Reverse
Engineering
Malware Analysis Process
Identification Analysis
• Hash calculation
• Virus Total…
• Anti-Virus
• Previous research
• Internal Databases
Static
Dynamic
Detection
and
Remediation
• What the malware
does?
• Which CnC it
contacts?
• Does it still data?
• How does it
infects my system?
• Sandboxing
• Debugging
• Monitoring
Infected
machines
• Block CnC
• Deploy signature
• Clean infected
machines
• Improve Security

Malware Analysis Toolkit
# Static Analysis
# Packer Detection: PEiD, RDG Packer
Detect, DIE…
# PE Format: Ressource Hacker, PEStudio,
StudPE…
# Reverse Engineering: IDA, Radare2,
DnSPY…
# Sysinternals: Strings, Sigcheck…
# Utilities: HexEdit, Python…

Malware Analysis Toolkit
# Dynamic Analysis
# Process: Process Explorer
# Monitoring: Regshot, Procmon, Autoruns,
API-Monitor…
# Network: Wireshark, Fiddler, CurrPort…
# Debugging: OllyDBG, X64DBG…
# Sandbox: Cuckoo, Proprietary Sandbox…

Remote Administration Tools (RAT)
Malware
A popular Malware Framework
Malware

# What is a Remote Administration Tool
A RAT is a Malware Framework designed to take the control of a remote system:
• Trojan Backdoor
• Botnets
• File Binder / Wrapper, Downloader
• Stealer
• Spyware
• Crypter
• Worms
Commonly offered remote control modules:
• Remote Desktop Streaming
• Remote Webcam Streaming
• Remote Ambient Sound Streaming (Micro)
• Keylogger
• Password Grabber
• System Management
• File System Management
RAT Introduction

• Backorifice
• SubSeven (Sub7)
• Optix
• Beast
• LanFiltrator
• Institution 2004
• Netbus
• Coma
• Y3k RAT
• Prorat
• Mosucker
Past generation : Recent generation :
• Poison Ivy
• Bifrost
• Blackshades
• Turkojan
• DarkComet
• NetWire
• SpyNet (Xtreme RAT)
• NjRAT
• NanoCore
• L0stD00r
• SubSeven (New gen)
# Few renowned RAT’s
RAT Introduction

Freeware
Shareware
Open Source
SaaS (Software as a Service)
It is a real business
RAT Business Model

One shot
The product owner received a one time payment and gives in exchange the different
application parts.
Monthly, Yearly, Version
The product owner could also decide to rent his Malware with a subscription limited in time.
Extra Services
• FUD / UD
• Support
• Pay per installs
• Extra Modules
• Training
• Open Source Access
RAT Business Model

Payment methods:
Liberty Reserve
Online banking system
Western Union
Cash deposal service
PayPal
Ease of use
Crypto-currency
Bitcoin, Monero, Ethereum
RAT Business Model

Malware Identify the different parts of the Framework
C&C Stub Editor Stub
Graphical application
to take the control of
infected machines
by the Malware
Graphical application
designed to configure
the Malware
The Malware
.exe, .js, .bat, .py, .pdf, .docx
RAT Identify the Different part of the Framework

Malware Network Protocol
• Client / Server based architecture
• Malware coder can create custom protocol
• They can also use existing protocol (HTTP Botnet)
• To evade detection, cryptographic principle could be used
RAT Network Protocol

# Mode 1 : Direct Connection
C&C – Client
Connect(89.27.25.120)
Stub – Server
Listen(1403)
Out Port
(TCP/UDP) > 1403
Internet (Cloud)
In Port
(TCP/UDP) > 1403
Malware Network Models
RAT Network Models

# Mode 2 : Reverse Connection
C&C – Client
Listen(1403)
Stub –Client
Connect(45.25.142.32)
In Port
(TCP/UDP) > 1403
Internet (Cloud)
Out Port
(TCP/UDP) > 1403
RAT Network Models

# Mode 3 : Hybrid (Direct and/or Reverse)
C&C – Client
Connect(89.27.25.120)
Stub – Server
Listen(1403)
Out Port
(TCP/UDP) > 1403
Internet (Cloud)
In Port
(TCP/UDP) > 1403
C&C – Client
Listen(1403)
Stub –Client
Connect(45.25.142.32)
In Port
(TCP/UDP) > 1403
Internet (Cloud)
Out Port
(TCP/UDP) > 1403
AND / OR
RAT Network Models

# P2P (Peer to Peer)
RAT Network Models

# Example of communication system
Server
Client
Main Thread + Listener Thread
(Server)
Closed Client
New Client
Receive Plain / Text
Management Thread
Receive Buffer
Thread
Process List
File List
Reverse shell stdout buffer
Webcam Streaming
Desktop Streaming
File Transfer
+
+
Main Thread +
Connection
Attempt to C&C
routine Thread
New Server +
Command Parser
and Dispatcher
Thread
Process List
File List
Remote Desktop Thread+

# HTTP Protocol
GET ; POST ; PUT ; UPDATE ; DELETE etc.

# Nature of transmitted data
CSV
kill:14032,1254,12687
JSON
{
“action”:”kill”,
“data”:[
14032,
1254,
12687
]
}
BYTES (Struct)
4c000000011402000000
0000c0000000000000469
b000800200000005284ce
b6f7c8d3015284ceb6f7c
8d3014b5333d55ba3d301
00fa01…

# Use case : Basic File Transfer
1
2
filesystem;c:
filesystem;c:windows,c:users,c:Pr
ogram Files,c:Program Files
(x86)|c:file.pdf,c:file2.png...
3 downloadfile;c:file.pdf
4downloadfile;c:file.pdf,10240
5 OK
6CHUNK 1 CHUNK 2 CHUNK N
C&C Infected system
file size / packet size = number of packets required for a file transfer

# Encryption Layer
Symmetric Encryption
RC4 / AES / Camelia
Key : passw0rd
RC4 / AES / Camelia
Key : passw0rd
Packet Data (Plain,
Byte)
Cloud Packet Data (Plain,
Byte)
Hello CF012FA29C HelloCF012FA29C

# Little reminder to XOR Encryption
0 0 0
1 0 1
0 1 1
1 1 0
0 1 0 0 1 1 0 0 1 0 1 1 1 1 0 0
1 1 1 0 0 1 1 1 0 0 1 1 0 1 0 1
1 0 1 0 1 0 1 1 1 0 0 0 1 0 0 1
1 0 1 0 1 0 1 1 1 0 0 0 1 0 0 1
1 1 1 0 0 1 1 1 0 0 1 1 0 1 0 1
0 1 0 0 1 1 0 0 1 0 1 1 1 1 0 0
Plain data
Secret key
Encrypted data
DATA xor KEY = ENCRYPTED_DATA
ENCRYPTED_DATA xor KEY = DATA
ENCRYPTED_DATA xor DATA = KEY

# Encryption Layer
Asymmetric Encryption
RSA / ECC
Remote public key
RSA / ECC
Local private key
Session key Session keyCloud
Step 1 : Transmit a generated temporary session key using asymmetric algorithm
RC4 / AES / Camelia
Key : temporary session key
RC4 / AES / Camelia
Key : temporary session key
Packet Data (Plain,
Byte)
Cloud Packet Data (Plain,
Byte)
Hello CF012FA29C HelloCF012FA29C
Step 2 : Symmetric encryption using transmitted session key

Malware Payload Configuration
• Payload configuration contains important information about how to contact
the C&C
• IP address(es) / Domain Name pointing to IP address(es)
• Communication Port(s)
• It also contains other important configuration elements such as
• Persistence Information's (Startup, Process, File)
• Anti’s functions (Anti-VM, Anti-Debugger etc.)
• Encryption key (symmetric)
• C&C private key for asymmetric traffic encryption (Asymmetric)
• Optional file downloader (if dropper module available and enabled)
• Embedded files (File Binder / Wrapper)
• Fake error messages / events (Open other process)
• Etc.
RAT Payload Configuration

• Multiple ways exist to store the configuration inside the Stub
• PE Resources Section
• PE Custom Section
• EOF (End Of File)
• In the same way of network communication, the configuration could be from any formats
• Plaintext : CSV, JSON, XML
• Byte encoded structures
• Some Malware encrypt configuration data to hide sensitive data's

# PE (Portable Executable) Resources
.rsrc
(Resource Section)
DOS Segment
PE Header
Section Tables
Section 1
…
Section N
DOS Header
Icon
Versions Info
Bitmaps
Custom Resources
Window Resources (Dialogs)
* LockResource, LoadResource, UpdateResource, SizeOfResource…

# PE (Portable Executable) Sections
Section Tables Add new section info
Section Address : 0x000FF12A
Size of section : N Bytes
Name of section : malconf
Section 1
DOS Segment
PE Header
Section 1
Section N
DOS Header
…
Custom Section
0x000FF12A
Explore PE Header and Sections (PE Bear)
JSON / CSV / Structures etc.
{
"cncaddr": [
"127.0.0.1",
"192.168.0.11",
"89.214.25.111",
"lamer.no-ip.org",
"lamer2.dyndns.org"
],
"startup": {
"enabled": true,
"name": "svchost.exe"
}
[...]
}

# EOF (End of File)
Payload configuration is simply appended at the End of the application file.
Appending content at the end of an application file doesn’t corrupt the application itself since it is out of the scope defined by the PE Structure
(SizeOfImage structure attribute defined in the PE Header > IMAGE_OPTIONAL_HEADER)
Most Antivirus detect such behavior by comparing the size of the image (SizeOfImage) from the PE Header with the file size.
Example (Pascal/Delphi)

Malware Payload Formats
Binary Application
Script Files
Documents
Exploit Kit
RAT Payload Format

Malware An example of timeline
Malware Execution
ping + timeout
delete original copy
run installed copy
Installed
Exit Process
Copy to destination location
Register location to startup
Extract embedded files
Download / Execute
Initialize Melting
Inject code to legitimate process
(Explorer.exe ; Iexplore.exe ; firefox.exe)
No
Create Mutex
Exists
No
Yes
Establish a connection to C&C
Anti-VM
Yes
Detected
Yes No
RAT Infection Process

Conclusion
“Know your enemy”
Malware

Conclusion
# Malware are becoming more and more complex
# Security industry and researcher are developping new techniques to
fight advanced threats.
# Understand the concepts behind malware can help to stay protected

Thank You
Jean-Pierre LESUEUR
Full Stack Developer x IT Security Researcher
@DarkCoderSc
Thomas ROCCIA
Security Researcher, Advanced Threat Research at McAfee
@fr0gger_
Q/A

42 - Malware - Understand the Threat and How to Respond

More Related Content

What's hot

Similar to 42 - Malware - Understand the Threat and How to Respond

Recently uploaded

42 - Malware - Understand the Threat and How to Respond