BlueHat v17 || Sednit Reloaded: The Bears' Operations From Christmas to Halloween
•Download as PPTX, PDF•
1 like•669 views
Alexis Dorais-Joncas, ESET Thomas Dupuy, ESET The Sednit group, a.k.a Fancy Bear, Sofacy, or APT28, is one of the most prolific APT groups in existence. They have gained an increasing amount of attention from the media and researchers over the years. They have allegedly infiltrated strategic organizations during the past years, like the Democratic National Committee, the German Parliament, and the French media TV5 Monde. They are also known to pull out 0-day exploits in order to compromise their victims. Last year, we released an extensive analysis of Sednit’s toolkit, describing their arsenal as well as their operations. Since then, their ecosystem has kept evolving. In this presentation, we will talk about the current trends we’ve observed since December 2016, including components they stopped using and refinements to their existing toolkit. Here is what we will cover: - A few 0-day exploits we’ve found in the past ten months, we will quickly analyze how the exploits were used, how we tracked them. We will talk about our experience reporting these critical vulnerabilities, which were actively exploited in the wild. - An overview of the targeted campaigns we have seen recently, with the evolution of their toolkit and the disappearance of some of their components - Recent discoveries on XAgent: Now at version 4, they keep working on their flagship backdoor. Now with new features, we will describe its evolution through the years. - And finally, we will talk about a new component we dubbed Tartine (a.k.a Zebrocy), which is a Delphi backdoor that was heavily used while attacking Eastern Europe institutions. This component went under the radar for quite some time and was recently linked to the Sednit group.
Recommended
Recommended
More Related Content
Similar to BlueHat v17 || Sednit Reloaded: The Bears' Operations From Christmas to Halloween
Similar to BlueHat v17 || Sednit Reloaded: The Bears' Operations From Christmas to Halloween (20)
More from BlueHat Security Conference
More from BlueHat Security Conference (20)
Recently uploaded
Recently uploaded (20)
BlueHat v17 || Sednit Reloaded: The Bears' Operations From Christmas to Halloween
- 1. No Rest For the Bear Alexis D-J & Thomas D Bluehat - November 9, 2017
- 2. Bear Hunters? • Jessy Campos • Thomas Dupuy, Malware Researcher • Alexis Dorais-Joncas, Security Intelligence Team Lead
- 3. ① ② ④ ③ AGENDA What is Sednit Bears in action Bears’ tooling Conclusion
- 4. Bear during Automn 2016 • Sedkit • Dealer’s Choice • Macros / VBA • Direct RCE/LPE
- 5. Bear during Automn 2016
- 6. Bear during Automn 2016
- 7. Bear During Christmas 2016
- 9. The Chain of Exploitation • Dealers Choice (.docx + SWF exploit) • SedUploader Dropper • SedUploader Payload • Xagent?(didn’t see in that case)
- 10. Bears in April 2017
- 12. Bears in April 2017 • Sedkit • Dealer’s Choice • Macros / VBA • Direct RCE/LPE
- 13. Bears in April 2017
- 14. Bears in April 2017
- 15. April 2015 May 2015 June 2015 July 2015 August 2015 September 2015 October 2015 April 2016 May 2016 October 2016 CVE-2015-3043 Flash CVE-2015-1701 Windows LPE CVE-2016-7855 Flash CVE-2016-7255 Windows LPE CVE-2016-4117 Flash CVE-2015-2590 Java CVE-2015-4902 Java click-to-play bypass CVE-2015-2424 Office RCE CVE-2016-1019 Flash CVE-2015-7645 Flash April 2017 CVE-2017-0261 Office RCE CVE-2016-0263 Windows LPE
- 17. The Bears in Summer 2017 July: “Hotel Reservation Form” • Sedkit • Dealer’s Choice • Macros / VBA • Direct RCE/LPE
- 18. The Bears in Automn 2017 October: “World War 3” • Sedkit • Dealer’s Choice • Macros / VBA • Direct RCE/LPE
- 19. The Bears in Automn 2017 October: “CyCon” • Sedkit • Dealer’s Choice • Macros / VBA • Direct RCE/LPE
- 20. The Bears in Automn 2017 October: “ISIS attack in New York” • Sedkit • Dealer’s Choice • Macros / VBA • Direct RCE/LPE • DDE
- 21. The Bears in Automn 2017 October: “ISIS attack in New York” • Sedkit • Dealer’s Choice • Macros / VBA • Direct RCE/LPE • DDE
- 22. Bear’s tooling
- 23. The Bear Takes Pictures • new key `img=` • base64 encoded • PowerSniff
- 24. 24 XAGENT (a.k.a SPLM, CHOPSTICK) Flagship backdoor • Downloaded by SEDUPLOADER • Modular backdoor developed in C++ • Deployed in most Sednit operations, usually after the reconnaissance phase • Period of activity: November 2012 - Now
- 25. Xagent Is Everywhere • OSX • Android • iOS • Linux
- 26. But what about Windows?
- 28. Features • Encrypted Strings Algorithm • "Domain Generation Algorithm” • Network Protocol • New Kernel Commands • ...
- 29. Encrypted Strings Algorithm v3 [...] i = data_size-- % mask_size; result[data_size + 1] = data[data_size + 1] ^ data[data_size] ^ mask[i]; [...]
- 30. Encrypted Strings Algorithm v4 return (((((a2 ^ (((((((((((a1 - 13 + 42) ^ 0x7B) + 104) ^ 0x72) - 81 - a2 – 76) ^ 0x31) + 75) ^ 0x3B) + 3) ^ 0x40) + 100) ^ 0x1C ^ 0xA9) + 41) ^ 0xB9) - 65) ^ 0xA) % 256;
- 31. Encrypted Strings Algorithm v4 return (((((a2 ^ (((((((((((a1 - 13 + 42) ^ 0x7B) + 104) ^ 0x72) - 81 - a2 – 76) ^ 0x31) + 75) ^ 0x3B) + 3) ^ 0x40) + 100) ^ 0x1C ^ 0xA9) + 41) ^ 0xB9) - 65) ^ 0xA) % 256;
- 33. Did You Say DGA? • concatenates 4 words + ".com” • 3 arrays of words • 1 unique seed per sample • number of domains
- 34. DGA's Function [...] seed = (0x15A4E35 * seed + 1) % 0x100000000i64; if ( v5 > 0x455 ){ setData(&struct_str, &table1[0x32 * (seed % 0x95)], 0x32); […] setData(&struct_str, &table2[0x1E * (seed % 0x1F)], 0x1E); […] setData(&struct_str, &table3[0x19 * (seed % 0x63)], 0x32); […] setData(&struct_str, &table1[0x32 * ((v15 + seed) % 0x95)], 0x32); [...]
- 35. DGA's Function [...] seed = (0x15A4E35 * seed + 1) % 0x100000000i64; if ( v5 > 0x455 ){ setData(&struct_str, &table1[0x32 * (seed % 0x95)], 0x32); […] setData(&struct_str, &table2[0x1E * (seed % 0x1F)], 0x1E); […] setData(&struct_str, &table3[0x19 * (seed % 0x63)], 0x32); […] setData(&struct_str, &table1[0x32 * ((v15 + seed) % 0x95)], 0x32); [...]
- 36. Example table1=["street", "company", "part", "system", "number"... table2=["at", "on", "in", "to", "into"... table3=["different", "used", "important", "every", "large"... streetatimportantnumber.com
- 37. Bears Improving Its Communication
- 38. Kernel Commands Commands v3 Commands v4 […] 2: PING_REQUEST X […] X 34: LocalStorage X 35: LocalStorage X 36: LocalStorage […]
- 39. And More... • New channel version • WinHttp • New module version • ModuleFileSystem (wrapper for FS operations) • ModuleRemoteKeylogger (keylogger) • ProcessTranslatorModule (backdoor) • unknown module (LocalStorage?)
- 40. Conclusion • Group still active with multiple campaigns • SednitToolkit += Word Macros • SednitToolkit -= Sedkit • SednitToolkit += Dealer’s Choice • SednitToolkit[XAgentVersion]++
- 42. Q & A
Editor's Notes
- Hi Very happy to be here, its our first time at bluehat Impressed at the quality of the talks we saw since yesterday Thanks to the organizers for their hard work and also for inviting us
- Original speaker for this talk was Jessy Campos, unfortunately Jessy is no longer with ESET so you’ll be stuck with the next best thing CLIC <Thomas intro> <Alexis Intro> We both in montreal
- This talk is about the Sednit group, also known as Fancy Bear First: we’ll talk about what is Sednit? In fact let’s get this out of the way: Sednit is a group of attackers doing targeted attacks since 2004, mainly interested into geopolitics. They develop and maintain a large set of custom malicious tools to perform their actions. CLIC The rest of the talk is split into 2 parts: we’ll first go quickly over the major Sednit campaigns since Oct 2016, and then we’ll dive into Sednit’s tooling and what changed over that period of time.
- First campaign I want to start with was launched at the end of August / mid-Sept Infection vector was spearphishing with links to Sedkit Sednit’s custom exploit kit platform Targets we saw were embassies and political parties in central europe Two domain names used, lookalikes real news sites World POST journal .com (Aug 24-25) CLIC World PRESS journal .com (Sept This was the last time we saw Sedkit used. All the campaigns after that one used other techniques.
- As it is often the case with this group, this attack contained some pretty obvious mistakes. one example is this email CLIC Email Subject does not match the phishing link CLIC It is doubtful Dr Hunt would mis-spell United Nations this way To be honest, at the time of this campaign, we were also not on top of things – we saw this campaign happening but didn’t dig into it immediately we were in the process of publishing a lengthy whitepaper on Sednit. At some point we had to decide when to stop analyzing new things coming in and focus on getting the report out there. So we were busy with that, and also busy preparing our presentation for a very important conference CLIC
- happening at that same time in Redmond That’s life I guess
- TD For Christmas we saw a phishing campaign from the Sednit group that wasn’t publicly documented yet.
- The main targets: multiple MFAs and embassies from Europe Despite most of the Sednit’s phishing campaign are related to political events this one differs from the others. It’s a phishing mail from Santa Claus with the wellknown ”HOHOHO” and a note at the end of the email saying that if you have been a bad boy or girl you should not open the attachment.
- The attachment is the product of DC framework, documented last year by Palo Alto Network researchers . Roughly dealerschoice is a framework to generates malicious documents designed to exploit Abode Flash vulnerabilities. There are 2 variants: Variant A: A standalone variant that includes Flash exploit code packaged with a payload. Variant B: A modular variant that loads exploit code obtained dynamically from a C&C server based on the specific Flash version installed on the target. In this campaign the attachment used the variant B. The CnC delivers a flash exploit that execute SedUploader Dropper. The dropper drops and executes SedUploader Payload. After gathering some information, if the victim is interesting for the Sednit group it will drop xagent.
- April campaign had something different. Again starts with a phishing email CLIC In this case, the target was an employee of the Romanian MFA, with a Word document attached to it CLIC
- The topic of that article is the attack launched by the US military against an airbase in Syria CLIC Bascially content copy-pasted from an article in The California Courrier CLIC The document also included two embedded exploits
- The way it worked is that first CLIC an RCE in the Office EPS filter was exploited. This allows the execution of the frist-stage component dropper, Seduploader Dropper, CLIC That component uses the second exploit, a use-after-free LPE in win32k After gaining admin privileges, Seduploader Dropper runs the Seduploader payload component, which performs the reconnaissance phase and allow the infection to continue.
- At first we tried to determine to which CVE these two exploits corresponded. At some point, we realized couldn’t find any – that they were in fact 2 0days. Of course we got in touch with MSRC to confirm our findings and get the vulns patched.
- In fact the patches were released in the following patch Tuesday, about 10 days after we identified them
- This adds two new items in the list of 0days used by Sednit
- Time is short today to go deeper in the details of the vulnerabilities unfortunately We published the technical writeup on our blog if you are interested.
- Let’s continue to Summer 2017 Mid-July, Fireeye observed a wave of spearphishing emails containing a document called Hotel Reservation Form, targeting companies in the hospitality industry in Europe and Middle-East The attachments were infected with VBA macros, which dropped Seduploader https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html
- Mid-October, another campaign spotted by Proofpoint Targeting MFA & private aerospace industry This time Dealer’s Choice was used to perform the initial infection, freshly updated with a new exploit against Flash Which interestingly was seen exploited a few days before by Kaspersky in an attack launched by BlackOasis group - https://www.proofpoint.com/us/threat-insight/post/apt28-racing-exploit-cve-2017-11292-flash-vulnerability-patches-are-deployed
- Just a few days later, end of October, another phishing campaign probably tageting participants of a cyber defense conference in Tallin was documented by Talos Again using documents infected with malicious macros. http://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html
- Just 2 says ago, McAfee noticed a Sednit campaign spreading an apparently empty Word document abusing Office Dynamic Data Exchange, or DDE to execute powershell and drop Seduploader DDE is a way to exchange data between Office applications. For example it allows a Word table to be updated with the data contained in an Excel document. Convenient but also allows to execute arbitrary code, given the user clicks on Yes on a few warning prompts. DDE is either a vulnerability or a feature depending on who you ask
- Some say it is an unpatched exploit CLIC AND a legit feature CLIC Oh they mean an Unpatched feature Maybe I didn’t have enough cofee today but that is just confusing Anyway point is that Sednit is abusing this mechanism https://securingtomorrow.mcafee.com/mcafee-labs/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign/
- This was just a very high level overview of Sednit’s last campaigns, their targets and infection vectors. With regards to the tools involved: - We didn’t see *any* new tools in their arsenal - They have stopped using some of their previous tools, SedReco Sedkit (last sighing was a year ago) Most of the remaining tools that *were* used underwent some regular maintenance and minor feature updates Seduploader Xtunnel XAgent To TD
- Starting with SedUploader, the last main update was last april for the Trump campaign as Alexis mentioned earlier. The new feature is the ability to take screenshot of the victim Desktop. SedUploader uses a key/value system to send a report to the CnC server. The new key here is img corresponding to the screenshot function and the value is the screenshot base64 encoded The function that handles this feature present some similarities with another malware called PowerSniff. Notice that it's not the first time that they take inspiration from other malware. For example Seduploader includes code from Carberp
- An another tool still used by the Sednit group is XAgent Xagent is the Flagship backdoor written in C++, , downloaded by Seduploader payload used in most of the operations over the past few years, usually after a reconnaissance phase We dated XAGENT’S first apparition in Nov 2012
- TD We know either first hand or through third-party publications that Xagent is available on many platforms The recent one was OSX in february discover by Bitdenfer researcher An Android version discover by crowdstrike iOS by trendmicro And there is also a Linux version out there still used // android: https://www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units // iOS: http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found // OSX: https://labs.bitdefender.com/2017/02/new-xagent-mac-malware-linked-with-the-apt28 // Linux: ESET whitepaper section XAGENT
- With xagent on all platforms, the Sednit group didn't put the Windows platform on a side. Shortly after discovering the malware on the missing platform (OSX), We receive a sample with the kernelmodule version 4, as alexis said a big maintenance for XAGENT
- Reversing a new version of a malware is always more interesting that reversing old stuff. So we started to take a look at it and in the next slides I will describe some new stuff that we discover As the sample is still under analysis we don’t have all answers yet.
- For those who already seen a xagent sample in a disassembler you know for facts that reversing xagent is a tedious task. this new version doesn’t make a exception. The new features and improvements that we will cover here are the following: A new encryption method A new DGA Some improvements in the network protocol and new commands.
- Encryption Algorithm On version 3 most of the strings are encrypted and in most of the sample RTTI are obfuscated The screenshot show the Control Flow graph of the encryption algorithm in IDA Notice that the whole magic happen in this bloc yes we talk about a simple xor loop. Here is what it looks like in HexRays, pretty easy.
- On version 4 as you probably expect all strings are encrypted and in all samples RTTI are obfuscated Here is what the CFG looks like a bit more complexe The HexRays does a decent job to simplify all operations, just copy paste and DONE
- However I figure out in the other samples that all constants are generated at the compilation and different for each samples Not easy as I was expected
- Another new feature implemented in some sample is a kind of DGA. I will explain later why i call it: kind of DGA
- The DGA is a concatenation of 4 words +.com the 4 words are dispatched in 3 array (once array is used twice) the function that handle domains generation take a seed and the number of domains to generate. The seed is different from a sample to another so it’s probably generated at the compilation Now you can understand why I'm saying that it's kind of DGA, we can run the sample multiple times, each time, the same domains will be generated.
- A quick HexRays output shows us how it works. Once the seed is calculated, it will take the offset modulo the size of the array to take the encrypted word. Then the encrypted word is decrypted. That means that we never have the full array in plain text in memory.
- As i said before the array number 1 is used twice. To give you an idea, this DGA can generates about (149, 31, 99)149*31*99*(149-1) = 67,677,588 68Milion domains
- In this example I voluntarily put word arrays in plaintext. It takes the 1st word in the first array then the 1st in the second table then the 3rd one and finally the fifth in the first array.
- Network protocol The network protocol got few modifications mainly regarding words using for the GET/POST request generation They also added a hardcoded token used to verify if a packet is valid.
- The AgentKernel handle different commands from the CnC server about 12 commands The command that handle the PING REQUEST was removed. This command allow the attackers to retrieve module id from xagent sample. 3 new commands were added to interact with the LocalStorage. The LocalStorage is the kernel store. It contains both a file-based storage for the communication with the CnC server and a Microsoft registry base storage to store various configuration parameters
- New version of the kernel generally means new version of modules As we are still analyzing it we don’t know yet all new differences from the previous version. One thing interesting is a new module id that we didn’t sucessfully identify. We saw xagent with this only one module dropped and sometimes later another version of xagent with all modules described above. The module has some similarities with the LocalStorage It’s using another storage path probably to avoid detection Looks like data storage (Software\Microsoft\Notepad, StringFromCLSID) ModuleFileSystem?
- To conclude, we made a certain number of observations Sednit is still active with multiple campaigns Started using attachments containing malicious VBA macros to perform the initial infection Stopped using Sedkit last year, prefering Dealer’s choice in several cases Which is interesting, because Sedkit provides more flexibility to perform the infection: Can exploit browser, Java, Flash, Adobe Reader While DC is limited to Flash exploits The only difference is that Sedkit requires the target to visit a URL, instead of opening an attachment Xagent is still the core backdoor of the group, and being actively developed and improved on multiple platforms. Once last anectode to share before we let you go
- One last thing. In the last 12 months, another type of campaign related to Sednit found its way in my own mailbox I started receiving very formal legal requests from Microsoft, about the domain windowsappstore.net that we sinkholed in 2015, used by the SedReco component, We offered to hand over control to you, free of charge But the transfer didn’t seem to work out, so we let the domain expire in May of this year, and it was then grabbed by your MarkMonitor account. In any case I think I can go public with my new alias now: CLIC I’m John Doe 1 and 2, come and see me after the talk if you want to talk to me