Alexis Dorais-Joncas, ESET
Thomas Dupuy, ESET
The Sednit group, a.k.a Fancy Bear, Sofacy, or APT28, is one of the most prolific APT groups in existence.
They have gained an increasing amount of attention from the media and researchers over the years. They have allegedly infiltrated strategic organizations during the past years, like the Democratic National Committee, the German Parliament, and the French media TV5 Monde. They are also known to pull out 0-day exploits in order to compromise their victims.
Last year, we released an extensive analysis of Sednit’s toolkit, describing their arsenal as well as their operations. Since then, their ecosystem has kept evolving. In this presentation, we will talk about the current trends we’ve observed since December 2016, including components they stopped using and refinements to their existing toolkit. Here is what we will cover:
- A few 0-day exploits we’ve found in the past ten months, we will quickly analyze how the exploits were used, how we tracked them. We will talk about our experience reporting these critical vulnerabilities, which were actively exploited in the wild.
- An overview of the targeted campaigns we have seen recently, with the evolution of their toolkit and the disappearance of some of their components
- Recent discoveries on XAgent: Now at version 4, they keep working on their flagship backdoor. Now with new features, we will describe its evolution through the years.
- And finally, we will talk about a new component we dubbed Tartine (a.k.a Zebrocy), which is a Delphi backdoor that was heavily used while attacking Eastern Europe institutions. This component went under the radar for quite some time and was recently linked to the Sednit group.
23. The Bear Takes Pictures
• new key `img=`
• base64 encoded
• PowerSniff
24. 24
XAGENT
(a.k.a SPLM, CHOPSTICK)
Flagship backdoor
• Downloaded by SEDUPLOADER
• Modular backdoor developed in C++
• Deployed in most Sednit operations, usually after the reconnaissance
phase
• Period of activity: November 2012 - Now
38. Kernel Commands
Commands v3 Commands v4
[…]
2: PING_REQUEST X
[…]
X 34: LocalStorage
X 35: LocalStorage
X 36: LocalStorage
[…]
39. And More...
• New channel version
• WinHttp
• New module version
• ModuleFileSystem (wrapper for FS operations)
• ModuleRemoteKeylogger (keylogger)
• ProcessTranslatorModule (backdoor)
• unknown module (LocalStorage?)
40. Conclusion
• Group still active with multiple campaigns
• SednitToolkit += Word Macros
• SednitToolkit -= Sedkit
• SednitToolkit += Dealer’s Choice
• SednitToolkit[XAgentVersion]++
Hi
Very happy to be here, its our first time at bluehat
Impressed at the quality of the talks we saw since yesterday
Thanks to the organizers for their hard work and also for inviting us
Original speaker for this talk was Jessy Campos, unfortunately Jessy is no longer with ESET so you’ll be stuck with the next best thing
CLIC
<Thomas intro>
<Alexis Intro>
We both in montreal
This talk is about the Sednit group, also known as Fancy Bear
First: we’ll talk about what is Sednit?
In fact let’s get this out of the way: Sednit is a group of attackers doing targeted attacks since 2004, mainly interested into geopolitics. They develop and maintain a large set of custom malicious tools to perform their actions.
CLIC
The rest of the talk is split into 2 parts: we’ll first go quickly over the major Sednit campaigns since Oct 2016, and then we’ll dive into Sednit’s tooling and what changed over that period of time.
First campaign I want to start with was launched at the end of August / mid-Sept
Infection vector was spearphishing with links to Sedkit
Sednit’s custom exploit kit platform
Targets we saw were embassies and political parties in central europe
Two domain names used, lookalikes real news sites
World POST journal .com (Aug 24-25)
CLIC
World PRESS journal .com (Sept
This was the last time we saw Sedkit used. All the campaigns after that one used other techniques.
As it is often the case with this group, this attack contained some pretty obvious mistakes. one example is this email
CLIC
Email Subject does not match the phishing link
CLIC
It is doubtful Dr Hunt would mis-spell United Nations this way
To be honest, at the time of this campaign, we were also not on top of things – we saw this campaign happening but didn’t dig into it immediately
we were in the process of publishing a lengthy whitepaper on Sednit. At some point we had to decide when to stop analyzing new things coming in and focus on getting the report out there.
So we were busy with that, and also busy preparing our presentation for a very important conference
CLIC
happening at that same time in Redmond
That’s life I guess
TD
For Christmas we saw a phishing campaign from the Sednit group that wasn’t publicly documented yet.
The main targets: multiple MFAs and embassies from Europe
Despite most of the Sednit’s phishing campaign are related to political events this one differs from the others.
It’s a phishing mail from Santa Claus with the wellknown ”HOHOHO” and a note at the end of the email saying that if you have been a bad boy or girl you should not open the attachment.
The attachment is the product of DC framework, documented last year by Palo Alto Network researchers .
Roughly dealerschoice is a framework to generates malicious documents designed to exploit Abode Flash vulnerabilities.
There are 2 variants:
Variant A: A standalone variant that includes Flash exploit code packaged with a payload.
Variant B: A modular variant that loads exploit code obtained dynamically from a C&C server based on the specific Flash version installed on the target.
In this campaign the attachment used the variant B.
The CnC delivers a flash exploit that execute SedUploader Dropper.
The dropper drops and executes SedUploader Payload.
After gathering some information, if the victim is interesting for the Sednit group it will drop xagent.
April campaign had something different. Again starts with a phishing email
CLIC
In this case, the target was an employee of the Romanian MFA, with a Word document attached to it
CLIC
The topic of that article is the attack launched by the US military against an airbase in Syria
CLIC
Bascially content copy-pasted from an article in The California Courrier
CLIC
The document also included two embedded exploits
The way it worked is that first
CLIC
an RCE in the Office EPS filter was exploited.
This allows the execution of the frist-stage component dropper, Seduploader Dropper,
CLIC
That component uses the second exploit, a use-after-free LPE in win32k
After gaining admin privileges, Seduploader Dropper runs the Seduploader payload component, which performs the reconnaissance phase and allow the infection to continue.
At first we tried to determine to which CVE these two exploits corresponded.
At some point, we realized couldn’t find any – that they were in fact 2 0days.
Of course we got in touch with MSRC to confirm our findings and get the vulns patched.
In fact the patches were released in the following patch Tuesday, about 10 days after we identified them
This adds two new items in the list of 0days used by Sednit
Time is short today to go deeper in the details of the vulnerabilities unfortunately
We published the technical writeup on our blog if you are interested.
Let’s continue to Summer 2017
Mid-July, Fireeye observed a wave of spearphishing emails containing a document called Hotel Reservation Form, targeting companies in the hospitality industry in Europe and Middle-East
The attachments were infected with VBA macros, which dropped Seduploader
https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html
Mid-October, another campaign spotted by Proofpoint
Targeting MFA & private aerospace industry
This time Dealer’s Choice was used to perform the initial infection, freshly updated with a new exploit against Flash
Which interestingly was seen exploited a few days before by Kaspersky in an attack launched by BlackOasis group
- https://www.proofpoint.com/us/threat-insight/post/apt28-racing-exploit-cve-2017-11292-flash-vulnerability-patches-are-deployed
Just a few days later, end of October, another phishing campaign probably tageting participants of a cyber defense conference in Tallin was documented by Talos
Again using documents infected with malicious macros.
http://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html
Just 2 says ago, McAfee noticed a Sednit campaign spreading an apparently empty Word document abusing Office Dynamic Data Exchange, or DDE
to execute powershell and drop Seduploader
DDE is a way to exchange data between Office applications. For example it allows a Word table to be updated with the data contained in an Excel document. Convenient but also allows to execute arbitrary code, given the user clicks on Yes on a few warning prompts.
DDE is either a vulnerability or a feature depending on who you ask
Some say it is an unpatched exploit
CLIC
AND a legit feature
CLIC
Oh they mean an Unpatched feature
Maybe I didn’t have enough cofee today but that is just confusing
Anyway point is that Sednit is abusing this mechanism
https://securingtomorrow.mcafee.com/mcafee-labs/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign/
This was just a very high level overview of Sednit’s last campaigns, their targets and infection vectors.
With regards to the tools involved:
- We didn’t see *any* new tools in their arsenal
- They have stopped using some of their previous tools,
SedReco
Sedkit (last sighing was a year ago)
Most of the remaining tools that *were* used underwent some regular maintenance and minor feature updates
Seduploader
Xtunnel
XAgent
To TD
Starting with SedUploader, the last main update was last april for the Trump campaign as Alexis mentioned earlier.
The new feature is the ability to take screenshot of the victim Desktop.
SedUploader uses a key/value system to send a report to the CnC server.
The new key here is img corresponding to the screenshot function and the value is the screenshot base64 encoded
The function that handles this feature present some similarities with another malware called PowerSniff.
Notice that it's not the first time that they take inspiration from other malware. For example Seduploader includes code from Carberp
An another tool still used by the Sednit group is XAgent
Xagent is the Flagship backdoor written in C++, , downloaded by Seduploader payload
used in most of the operations over the past few years, usually after a reconnaissance phase
We dated XAGENT’S first apparition in Nov 2012
TD
We know either first hand or through third-party publications that Xagent is available on many platforms
The recent one was OSX in february discover by Bitdenfer researcher
An Android version discover by crowdstrike
iOS by trendmicro
And there is also a Linux version out there still used
// android: https://www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units
// iOS: http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found
// OSX: https://labs.bitdefender.com/2017/02/new-xagent-mac-malware-linked-with-the-apt28
// Linux: ESET whitepaper section XAGENT
With xagent on all platforms, the Sednit group didn't put the Windows platform on a side. Shortly after discovering the malware on the missing platform (OSX),
We receive a sample with the kernelmodule version 4, as alexis said a big maintenance for XAGENT
Reversing a new version of a malware is always more interesting that reversing old stuff.
So we started to take a look at it and in the next slides I will describe some new stuff that we discover
As the sample is still under analysis we don’t have all answers yet.
For those who already seen a xagent sample in a disassembler you
know for facts that reversing xagent is a tedious task. this new version
doesn’t make a exception.
The new features and improvements that we will cover here are the following:
A new encryption method
A new DGA
Some improvements in the network protocol and new commands.
Encryption Algorithm
On version 3 most of the strings are encrypted and in most of the sample RTTI are obfuscated
The screenshot show the Control Flow graph of the encryption algorithm in IDA
Notice that the whole magic happen in this bloc
yes we talk about a simple xor loop.
Here is what it looks like in HexRays, pretty easy.
On version 4 as you probably expect all strings are encrypted and in all samples RTTI are obfuscated
Here is what the CFG looks like a bit more complexe
The HexRays does a decent job to simplify all operations, just copy paste and DONE
However I figure out in the other samples that all constants are generated at the compilation and different for
each samples
Not easy as I was expected
Another new feature implemented in some sample is a kind of DGA.
I will explain later why i call it: kind of DGA
The DGA is a concatenation of 4 words +.com
the 4 words are dispatched in 3 array (once array is used twice)
the function that handle domains generation take a seed and the number of domains to generate.
The seed is different from a sample to another so it’s probably generated at the compilation
Now you can understand why I'm saying that it's kind of DGA, we can run the sample multiple times, each time, the same domains will be generated.
A quick HexRays output shows us how it works.
Once the seed is calculated, it will take the offset modulo the size of the array to take the encrypted word.
Then the encrypted word is decrypted.
That means that we never have the full array in plain text in memory.
As i said before the array number 1 is used twice.
To give you an idea, this DGA can generates about (149, 31, 99)149*31*99*(149-1) = 67,677,588 68Milion domains
In this example I voluntarily put word arrays in plaintext.
It takes the 1st word in the first array then the 1st in the second table then the 3rd one and finally the fifth in the first array.
Network protocol
The network protocol got few modifications mainly regarding words using for the GET/POST request generation
They also added a hardcoded token used to verify if a packet is valid.
The AgentKernel handle different commands from the CnC server about 12 commands
The command that handle the PING REQUEST was removed.
This command allow the attackers to retrieve module id from xagent sample.
3 new commands were added to interact with the LocalStorage.
The LocalStorage is the kernel store. It contains both a file-based storage for the communication with the CnC server and a Microsoft registry base storage
to store various configuration parameters
New version of the kernel generally means new version of modules
As we are still analyzing it we don’t know yet all new differences from the previous version.
One thing interesting is a new module id that we didn’t sucessfully identify.
We saw xagent with this only one module dropped and sometimes later another version of xagent with all modules described above.
The module has some similarities with the LocalStorage It’s using another storage path probably to avoid detection
Looks like data storage (Software\Microsoft\Notepad, StringFromCLSID) ModuleFileSystem?
To conclude, we made a certain number of observations
Sednit is still active with multiple campaigns
Started using attachments containing malicious VBA macros to perform the initial infection
Stopped using Sedkit last year, prefering Dealer’s choice in several cases
Which is interesting, because Sedkit provides more flexibility to perform the infection:
Can exploit browser, Java, Flash, Adobe Reader
While DC is limited to Flash exploits
The only difference is that Sedkit requires the target to visit a URL, instead of opening an attachment
Xagent is still the core backdoor of the group, and being actively developed and improved on multiple platforms.
Once last anectode to share before we let you go
One last thing. In the last 12 months, another type of campaign related to Sednit found its way in my own mailbox
I started receiving very formal legal requests from Microsoft, about the domain windowsappstore.net that we sinkholed in 2015, used by the SedReco component,
We offered to hand over control to you, free of charge
But the transfer didn’t seem to work out, so we let the domain expire in May of this year, and it was then grabbed by your MarkMonitor account.
In any case I think I can go public with my new alias now:
CLIC
I’m John Doe 1 and 2, come and see me after the talk if you want to talk to me