SlideShare a Scribd company logo

[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulation and Scanning by Takahiro Haruyama

CODE BLUE
CODE BLUE

This document discusses the results of long-term scanning and analysis of Winnti 4.0 and ShadowPad malware command and control (C2) protocols. It finds that Winnti 4.0 C2s primarily use TLS, HTTPS, and HTTP, while ShadowPad variants primarily use TCP, HTTPS, and HTTP. Analysis of the protocols reveals encryption methods, packet structures, and server-side functionality. Over time, the number and distribution of active C2s changed, likely in response to research publications and incident response actions. The document advocates for anonymization techniques and merits and risks of future research publications.

Presentations & Public Speaking
1 of 59
Download to read offline
Tracking the entire iceberg - long-term APT malware C2 protocol emulation and scanning
Who am I? @cci_forensics Past Research CB 2022
Motivation
Overview CB 2022
Target Summary Winnti 4.0 ShadowPad Prevalence Low High First-observed year 2016 (start-up sequence), 2018 (new C2 protocol) 2015 Scanning start year 2019 2021 Supported protocols TCP/TLS/HTTP(S)/ UDP TCP/SSL/HTTP(S)/ UDP/DNS Unique feature Server-mode Multiple protocol listening at a single port
Winnti 4.0 CB 2022
Winnti Malware Kaspersky Novetta CB 2022
Winnti Malware 4.0 Macnica Networks version 4.0 CB 2022 Version 3.0 Version 4.0 Initial component Dropper Loader and DAT file Initial encryption algorithm DES AES Initial encryption key cracking Easy Hard Worker encryption 1-byte XOR and nibble swap DPAPI or AES with host- specific key
Winnti Malware 4.0 (Cont.) CB 2022 struct struc_work_config { char campaignID[64]; char MAC_addr[6]; int c2_proto; // enum_proto ... } enum enum_proto { none = 0x0, TCP = 0x1, HTTP = 0x2, HTTPS = 0x3, TLS = 0x4, UDP = 0x5, };
C2 Protocol CB 2022
Packet Format CB 2022 struct struc_custom_header { __int16 temp_key_seed; __int16 unk_word; // initial value is 2 __int16 signature; // 0x45DB int payload_len; }; struct struc_custom_payload_init { int payload_type; // request:0xEE775BAA/0x4563CEFA/0x5633CBAD, response:0xFACEB007/0x5633CBAD int unk_dword; // request:0, response:0xC350/0xC352 GUID guid; char null_bytes[14]; __int16 seq_num; // starting from 1 __int16 null_word; };
Encryption AppCall CB 2022
HTTP Protocol CB 2022 Customized packet Customized packet size
HTTP: Size Calculation from Cookie Value CB 2022 $ python validate_cookie.py 640ABEFB16D2CE36E7E83E1B8BEF31B2500ABEFB dw0=0xfbbe0a64, dw1=0x36ced216, dw2=0x1b3ee8e7, dw3=0xb231ef8b, dw4=0xfbbe0a50 The cookie value validated. dword key = 0x34
HTTP: Dummy Data in GET Request CB 2022 Size = 0 Size = 0
Behavior After the Initial Handshake CB 2022 struct struc_nested_payload // at least 0x14 bytes { // e.g., cmd_ID=5 & dispatch_ID=1 order to send victim info __int16 cmd_ID; __int16 dispatch_ID; ... int additional_data_len; struc_data_cmd1 additional_data; // flexible size }; struct struc_custom_payload_next { __int16 messageID; ... __int16 signature; // 0x45db int nested_payload_len; struc_nested_payload nested_payload; };
Scanner Implementation CB 2022 ZMap • Internet-wide port scan • TCP 443 & 80 • UDP 443 & 53 (customized packet required) Stand-alone Python Script • HTTP(S): Decode and Validate Cookie value • Others: Get suspicious responses with the same size and different key IDAPython AppCall • Decrypt response’s customized packet • Validate signature and payload size in the header
How to Differentiate Server-mode Infections and C2 Servers [DEBUG] server header: unknown word = 0x2, header signature = 0x45db, payload length = 0x2a [*] server payload: payload type = 0xfaceb007, unknown dword = 0xc352, GUID = 0b8212dc- e364-4c18-ac0b-26382beb1387, sequence number = 2 [DEBUG] server header: unknown word = 0x2, header signature = 0x45db, payload length = 0x2a [*] server payload: payload type = 0xfaceb007, unknown dword = 0x0, GUID = 00000000-0000- 0000-0000-000000000000, sequence number = 1 Server-mode: the same GUID as client, sequence number incremented C2: null GUID, sequence number reset CB 2022
Result: Population by Protocol CB 2022 TLS 35% HTTPS 29% HTTP 20% TCP 11% UDP 5% TLS HTTPS HTTP TCP UDP
0 5 10 15 20 25 D e c - 1 9 F e b - 2 0 A p r - 2 0 J u n - 2 0 A u g - 2 0 O c t - 2 0 D e c - 2 0 F e b - 2 1 A p r - 2 1 J u n - 2 1 A u g - 2 1 O c t - 2 1 D e c - 2 1 F e b - 2 2 A p r - 2 2 J u n - 2 2 A u g - 2 2 number of active C2s period Result: Change in Number of Active C2s CB 2022 1st disclosure 2nd disclosure
Public Reports Related to Winnti 4.0 C2s Trellix Recorded Future CB 2022
ShadowPad CB 2022
ShadowPad Malware SentinelOne CB 2022
C2 Protocol TCP HTTP(S)/UDP Key size 4 2 Header size 0x14 8 Payload size in the initial handshake packet Up to 0x3F HTTP(S): Up to 0x1F, UDP: 0x10 CB 2022
C2 Protocol (Cont.) CB 2022 Variant name C2 protocol Config size Attribution Source Variant1 (aka ScatterBee) TCP/UDP 0x896 APT41 Positive Technologies Variant2 HTTP(S) 0x85C Tonto Team ESET Variant3 HTTP(S) 0x85C unknown Positive Technologies
TCP Protocol QuickLZ CB 2022 struct struc_common_header { int session_key; int plugin_and_cmd_id; // plugin_id (0x68) << 16 + cmd_id (0x51) byVariant1 int module_code; // 0 int payload_size_compressed; // QuickLZ int payload_size_original; };
TCP Protocol (Cont.) Dr.WEB white paper CB 2022
HTTP(S) and UDP Protocols CB 2022 struct struc_proto_header { __int16 session_key; __int16 type; // 0 in HTTP, req=0x1001/res=(0x2002|0x5005) in UDP __int16 session_src_id; // random 2 bytes, generated by both client/server __int16 session_dst_id; // req=0, res=client's session_src_id };
HTTP(S) and UDP Protocols (Cont.) CB 2022 UDP packet encoding byVariant1 HTTP(S) packet encoding byVariant2 HTTP(S) packet encoding byVariant3
HTTP(S) and UDP Protocols (Cont.) CB 2022 struc_proto_header payload = TCP packet struc_common_header QuickLZ-compressed payload
Scanner Implementation CB 2022 Scanning start period Target protocol/port/variant September 2021 HTTP/443 (Variant2 &Variant3) October 2021 TCP/443 & UDP/53 (Variant1) June 2022 UDP/443 (Variant1), HTTP/80 (Variant3)
Scanner Implementation (Cont.) CB 2022 ZMap • Internet-wide port scan • Targets as mentioned previously Stand-alone Python Script • Decode the response packet • Validate the decoded values • TCP: payload size fields • HTTP(S)/UDP: type and session_dst_id
Multiple Protocol Listening at a Single Port CB 2022 [*] config size = 0x85c .. [+] C2 Entry 0 (offset 0xbc): 'HTTPS://wwa1we.wbew.amazon-corp.wikaba.com:443' [+] C2 Entry 1 (offset 0xed): 'HTTP://wwa1we.wbew.amazon-corp.wikaba.com:443' .. SHA256: d011130defd8b988ab78043b30a9f7e0cada5751064b3975a19f4de92d2c0025 Hostname/port matched
Multiple Protocol Listening at a Single Port (Cont.) CB 2022 $ ./c2fs.py -d -l corpus/query.txt -p 443 -f sp httpVariant2 .. [*] malware options: family = ShadowPad; targeted protocol = http (version =Variant2) [*] ShadowPad specific options: version =Variant2; key size = 2; key endian = big; header size = 0x8; header type = 0x0; client session ID = 53978 [D] POST: http://137.220.185.203:443/ (proxy={}, stream=True, timeout=30) [+] 137.220.185.203,active,client session ID matched (type=0x0) .. $ ./c2fs.py -d -l corpus/query.txt -p 443 -f sp httpsVariant2 .. [*] malware options: family = ShadowPad; targeted protocol = https (version =Variant2) [*] ShadowPad specific options: version =Variant2; key size = 2; key endian = big; header size = 0x8; header type = 0x0; client session ID = 52256 [D] POST: https://137.220.185.203:443/ (proxy={}, stream=True, timeout=30) [+] 137.220.185.203,active,client session ID matched (type=0x0)
Result: Population by Variant CB 2022 Variant1 48% Variant3 42% Variant2 10% Variant1 Variant3 Variant2
0 5 10 15 20 25 S e p - 2 1 O c t - 2 1 N o v - 2 1 D e c - 2 1 J a n - 2 2 F e b - 2 2 M a r - 2 2 A p r - 2 2 M a y - 2 2 J u n - 2 2 J u l - 2 2 A u g - 2 2 S e p - 2 2 number of active C2s period Result: Change in Number of Active C2s CB 2022 System issue New variant?
Samples Communicating with C2 IPs CB 2022 Sample Malware family C2 IP address C2 Protocol/Port used by sample Sample submission date on VT C2 first-seen date by scanner C2 last-seen date by scanner Spyder 156.240.104.149 TLS/443 2021/10/26 2021/10/16 2021/10/16 ReverseWindow 43.129.188.223 TCP/10333 2022/02/27 2021/10/17 2022/10/04 ShadowPad 213.59.118.124 UDP/443 2022/03/20 2022/03/06 2022/09/27
Spyder & Winnti 4.0: Code Similarity CB 2022 Spyder Winnti 4.0 Worker
Spyder & Winnti 4.0: Command IDs CB 2022 Command Spyder Winnti 4.0Worker tag id cmd_ID dispatch_ID Verify the client 1 1 1 1 Send victim information 5 3 5 1 Send plugins information 6 1 6 9 or 13 Save plugin parameters 6 2 6 2 Save plugin data 6 3 6 3 Load and run plugin entrypoint and export function #1 6 4 6 6 Run plugin export function #4 and unload the plugin 6 5 6 7
Spyder & Winnti 4.0: Command IDs (Cont.) CB 2022 Command Spyder Winnti 4.0Worker tag id cmd_ID dispatch_ID Heartbeat 6 6 6 8 Run plugin export function #2 6 7 6 10 Run plugin export function #3 6 8 6 11 Send current connection information 7 2 - (no command) - Run function pointer of the 2nd parameter obtained by running export function #1 11 - 11 -
Spyder & Winnti 4.0: Comparison CB 2022 Spyder Winnti 4.0 Payload encoding / encryption single-byte XOR AES in CTR mode (key given as a cmdline argument) C2 Protocol TLS TCP/TLS/HTTP(S)/UDP Server-mode support No Yes 3rd-party library uthash, Mbed TLS uthash Reported year 2020 2019
Incident Response Case Triggered by Discovered C2 CB 2022
Notes for Internet-wide C2 Scanning CB 2022
How to Get Input (Port Scan) Data scanning target ports CB 2022 ZMap Shodan CenSys TCP/10333 4,940,037 4 1,306 TCP/55555 3,199,856 86 486,497 Note: The data was collected in 2021/11
Anonymization CB 2022 Tor Commercial VPN service Cost Free Non-free Supported protocols TCP TCP/UDP Risk of being blocked High Low
Anonymization (Cont.) ZMap issue CB 2022
Anti-Scanning Techniques: Cobalt Strike CB 2022
Anti-Scanning Techniques: Cobalt Strike (Cont.) blocked CB 2022
Anti-Scanning Techniques: ReverseWindow LuoYu’s ReverseWindow CB 2022
Pros and Cons of Research Publication in Cobalt Strike Case JSAC 2021 CB 2022
Research Publication Merits: Stopping MS Azure domain fronting stated CB 2022 Source: Exposing Malware in Linux-Based Multi-Cloud Environments
Research Publication Merits: Stopping Ongoing Attack Campaign CB 2022 Source: Exposing Malware in Linux-Based Multi-Cloud Environments
Research Publication Demerits: Developer’s Reaction CB 2022
Research Publication Demerits: Threat Actor’s Reaction APT41 CB 2022 Protocol/Port Stager-disabled/Total in Sep 2021 Stager-disabled/Total in Jul 2022 HTTP/80 217/559 (38%) 208/387 (53%) HTTPS/443 210/928 (22%) 206/431 (47%) DNS/53 46/150 (30%) 51/51 (100%) Change in the result of a single scan
Wrap-up CB 2022
Wrap-up CB 2022
Acknowledgement CB 2022
Indicators of Compromise CB 2022 Indicator Type Context 0a3279bb86ff0de24c2a4b646f24ffa196ee639cc23c64a 044e20f50b93bda21 SHA256 Winnti 4.0 dat file 03b7b511716c074e9f6ef37318638337fd7449897be99 9505d4a3219572829b4 SHA256 ShadowPad Variant1 aef610b66b9efd1fa916a38f8ffea8b988c20c5deebf4db8 3b6be63f7ada2cc0 SHA256 ShadowPad Variant2 d011130defd8b988ab78043b30a9f7e0cada5751064b3 975a19f4de92d2c0025 SHA256 ShadowPad Variant3 1ded9878f8680e1d91354cbb5ad8a6960efd6ddca2da1 57eb4c1ef0f0430fd5f SHA256 Spyder communicating with the ShadowPad C2 (156.240.104.149) 536def339fefa0c259cf34f809393322cdece06fc4f2b37f 06136375b073dff3 SHA256 ReverseWindow communicating with the ShadowPad C2 (43.129.188.223) 9447b75af497e5a7f99f1ded1c1d87c53b5b59fce224a3 25932ad55eef9e0e4a SHA256 ShadowPad Variant1 communicating with the ShadowPad C2 (213.59.118.124)
Questions? CB 2022

Recommended

[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
CODE BLUE
 
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
CODE BLUE
 
[cb22] ブロックチェーンにC&Cサーバー情報を隠ぺいした攻撃者との直接対峙により得られたもの by 谷口 剛
[cb22] ブロックチェーンにC&Cサーバー情報を隠ぺいした攻撃者との直接対峙により得られたもの by 谷口 剛[cb22] ブロックチェーンにC&Cサーバー情報を隠ぺいした攻撃者との直接対峙により得られたもの by 谷口 剛
[cb22] ブロックチェーンにC&Cサーバー情報を隠ぺいした攻撃者との直接対峙により得られたもの by 谷口 剛
CODE BLUE
 
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...
CODE BLUE
 
Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Adversary Emulation and Its Importance for Improving Security Posture in Orga...Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Digit Oktavianto
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
MITRE ATT&CK
 
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
CODE BLUE
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
Will Schroeder
 

Recommended

[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
CODE BLUE
 
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
CODE BLUE
 
[cb22] ブロックチェーンにC&Cサーバー情報を隠ぺいした攻撃者との直接対峙により得られたもの by 谷口 剛
[cb22] ブロックチェーンにC&Cサーバー情報を隠ぺいした攻撃者との直接対峙により得られたもの by 谷口 剛[cb22] ブロックチェーンにC&Cサーバー情報を隠ぺいした攻撃者との直接対峙により得られたもの by 谷口 剛
[cb22] ブロックチェーンにC&Cサーバー情報を隠ぺいした攻撃者との直接対峙により得られたもの by 谷口 剛
CODE BLUE
 
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...
CODE BLUE
 
Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Adversary Emulation and Its Importance for Improving Security Posture in Orga...Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Digit Oktavianto
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
MITRE ATT&CK
 
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
CODE BLUE
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
Will Schroeder
 
[CB21] MUSHIKAGO: IT and OT Automation Penetration testing Tool Using Game AI...
[CB21] MUSHIKAGO: IT and OT Automation Penetration testing Tool Using Game AI...[CB21] MUSHIKAGO: IT and OT Automation Penetration testing Tool Using Game AI...
[CB21] MUSHIKAGO: IT and OT Automation Penetration testing Tool Using Game AI...
CODE BLUE
 
ATT&CK Updates- ATT&CK's Open Source
ATT&CK Updates- ATT&CK's Open SourceATT&CK Updates- ATT&CK's Open Source
ATT&CK Updates- ATT&CK's Open Source
MITRE ATT&CK
 
ATT&CK Updates- ATT&CK for mac/Linux
ATT&CK Updates- ATT&CK for mac/LinuxATT&CK Updates- ATT&CK for mac/Linux
ATT&CK Updates- ATT&CK for mac/Linux
MITRE ATT&CK
 
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CK
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CKATT&CK Metaverse - Exploring the Limitations of Applying ATT&CK
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CK
MITRE ATT&CK
 
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro... Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
MITRE ATT&CK
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory Forensics
IIJ
 
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
CODE BLUE
 
[cb22] Understanding the Chinese underground card shop ecosystem and becoming...
[cb22] Understanding the Chinese underground card shop ecosystem and becoming...[cb22] Understanding the Chinese underground card shop ecosystem and becoming...
[cb22] Understanding the Chinese underground card shop ecosystem and becoming...
CODE BLUE
 
Sandbox Evasion Cheat Sheet
Sandbox Evasion Cheat SheetSandbox Evasion Cheat Sheet
Sandbox Evasion Cheat Sheet
Thomas Roccia
 
When Insiders ATT&CK!
When Insiders ATT&CK!When Insiders ATT&CK!
When Insiders ATT&CK!
MITRE ATT&CK
 
Encoded Attacks And Countermeasures
Encoded Attacks And CountermeasuresEncoded Attacks And Countermeasures
Encoded Attacks And CountermeasuresMarco Morana
 
Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...
MITRE ATT&CK
 
Not a Security Boundary
Not a Security BoundaryNot a Security Boundary
Not a Security Boundary
Will Schroeder
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down Intruders
Infosec
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
GIBIN JOHN
 
Mapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE Activities
MITRE ATT&CK
 
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
MITRE ATT&CK
 
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red TeamWhat is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
MITRE ATT&CK
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple Teaming
Nikhil Mittal
 
Threat Modelling - It's not just for developers
Threat Modelling - It's not just for developersThreat Modelling - It's not just for developers
Threat Modelling - It's not just for developers
MITRE ATT&CK
 
IPAddressing .pptx
IPAddressing .pptxIPAddressing .pptx
IPAddressing .pptx
karthikvcyber
 
Microsoft Offical Course 20410C_05
Microsoft Offical Course 20410C_05Microsoft Offical Course 20410C_05
Microsoft Offical Course 20410C_05
gameaxt
 

More Related Content

What's hot

[CB21] MUSHIKAGO: IT and OT Automation Penetration testing Tool Using Game AI...
[CB21] MUSHIKAGO: IT and OT Automation Penetration testing Tool Using Game AI...[CB21] MUSHIKAGO: IT and OT Automation Penetration testing Tool Using Game AI...
[CB21] MUSHIKAGO: IT and OT Automation Penetration testing Tool Using Game AI...
CODE BLUE
 
ATT&CK Updates- ATT&CK's Open Source
ATT&CK Updates- ATT&CK's Open SourceATT&CK Updates- ATT&CK's Open Source
ATT&CK Updates- ATT&CK's Open Source
MITRE ATT&CK
 
ATT&CK Updates- ATT&CK for mac/Linux
ATT&CK Updates- ATT&CK for mac/LinuxATT&CK Updates- ATT&CK for mac/Linux
ATT&CK Updates- ATT&CK for mac/Linux
MITRE ATT&CK
 
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CK
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CKATT&CK Metaverse - Exploring the Limitations of Applying ATT&CK
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CK
MITRE ATT&CK
 
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro... Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
MITRE ATT&CK
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory Forensics
IIJ
 
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
CODE BLUE
 
[cb22] Understanding the Chinese underground card shop ecosystem and becoming...
[cb22] Understanding the Chinese underground card shop ecosystem and becoming...[cb22] Understanding the Chinese underground card shop ecosystem and becoming...
[cb22] Understanding the Chinese underground card shop ecosystem and becoming...
CODE BLUE
 
Sandbox Evasion Cheat Sheet
Sandbox Evasion Cheat SheetSandbox Evasion Cheat Sheet
Sandbox Evasion Cheat Sheet
Thomas Roccia
 
When Insiders ATT&CK!
When Insiders ATT&CK!When Insiders ATT&CK!
When Insiders ATT&CK!
MITRE ATT&CK
 
Encoded Attacks And Countermeasures
Encoded Attacks And CountermeasuresEncoded Attacks And Countermeasures
Encoded Attacks And CountermeasuresMarco Morana
 
Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...
MITRE ATT&CK
 
Not a Security Boundary
Not a Security BoundaryNot a Security Boundary
Not a Security Boundary
Will Schroeder
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down Intruders
Infosec
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
GIBIN JOHN
 
Mapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE Activities
MITRE ATT&CK
 
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
MITRE ATT&CK
 
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red TeamWhat is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
MITRE ATT&CK
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple Teaming
Nikhil Mittal
 
Threat Modelling - It's not just for developers
Threat Modelling - It's not just for developersThreat Modelling - It's not just for developers
Threat Modelling - It's not just for developers
MITRE ATT&CK
 

What's hot (20)

[CB21] MUSHIKAGO: IT and OT Automation Penetration testing Tool Using Game AI...
[CB21] MUSHIKAGO: IT and OT Automation Penetration testing Tool Using Game AI...[CB21] MUSHIKAGO: IT and OT Automation Penetration testing Tool Using Game AI...
[CB21] MUSHIKAGO: IT and OT Automation Penetration testing Tool Using Game AI...
 
ATT&CK Updates- ATT&CK's Open Source
ATT&CK Updates- ATT&CK's Open SourceATT&CK Updates- ATT&CK's Open Source
ATT&CK Updates- ATT&CK's Open Source
 
ATT&CK Updates- ATT&CK for mac/Linux
ATT&CK Updates- ATT&CK for mac/LinuxATT&CK Updates- ATT&CK for mac/Linux
ATT&CK Updates- ATT&CK for mac/Linux
 
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CK
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CKATT&CK Metaverse - Exploring the Limitations of Applying ATT&CK
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CK
 
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro... Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory Forensics
 
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
 
[cb22] Understanding the Chinese underground card shop ecosystem and becoming...
[cb22] Understanding the Chinese underground card shop ecosystem and becoming...[cb22] Understanding the Chinese underground card shop ecosystem and becoming...
[cb22] Understanding the Chinese underground card shop ecosystem and becoming...
 
Sandbox Evasion Cheat Sheet
Sandbox Evasion Cheat SheetSandbox Evasion Cheat Sheet
Sandbox Evasion Cheat Sheet
 
When Insiders ATT&CK!
When Insiders ATT&CK!When Insiders ATT&CK!
When Insiders ATT&CK!
 
Encoded Attacks And Countermeasures
Encoded Attacks And CountermeasuresEncoded Attacks And Countermeasures
Encoded Attacks And Countermeasures
 
Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...
 
Not a Security Boundary
Not a Security BoundaryNot a Security Boundary
Not a Security Boundary
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down Intruders
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
 
Mapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE Activities
 
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
 
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red TeamWhat is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple Teaming
 
Threat Modelling - It's not just for developers
Threat Modelling - It's not just for developersThreat Modelling - It's not just for developers
Threat Modelling - It's not just for developers
 

Similar to [cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulation and Scanning by Takahiro Haruyama

IPAddressing .pptx
IPAddressing .pptxIPAddressing .pptx
IPAddressing .pptx
karthikvcyber
 
Microsoft Offical Course 20410C_05
Microsoft Offical Course 20410C_05Microsoft Offical Course 20410C_05
Microsoft Offical Course 20410C_05
gameaxt
 
Your app lives on the network - networking for web developers
Your app lives on the network - networking for web developersYour app lives on the network - networking for web developers
Your app lives on the network - networking for web developers
Wim Godden
 
用Raspberry Pi 學Linux I2C Driver
用Raspberry Pi 學Linux I2C Driver用Raspberry Pi 學Linux I2C Driver
用Raspberry Pi 學Linux I2C Driver
艾鍗科技
 
Opentalk at Large - StS 2005
Opentalk at Large - StS 2005Opentalk at Large - StS 2005
Opentalk at Large - StS 2005
Martin Kobetic
 
Nessus scan report using the defualt scan policy - Tareq Hanaysha
Nessus scan report using the defualt scan policy - Tareq HanayshaNessus scan report using the defualt scan policy - Tareq Hanaysha
Nessus scan report using the defualt scan policy - Tareq Hanaysha
Hanaysha
 
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
idsecconf
 
4.1.1.10 Packet Tracer - Configuring Extended ACLs Scenario 1 Instructor (1).pdf
4.1.1.10 Packet Tracer - Configuring Extended ACLs Scenario 1 Instructor (1).pdf4.1.1.10 Packet Tracer - Configuring Extended ACLs Scenario 1 Instructor (1).pdf
4.1.1.10 Packet Tracer - Configuring Extended ACLs Scenario 1 Instructor (1).pdf
ZahraElhaddi
 
05 module managing your network enviornment
05 module managing your network enviornment05 module managing your network enviornment
05 module managing your network enviornmentAsif
 
Positive Hack Days. Sklyarov. Vulnerabilities in the Systems of Authenticity ...
Positive Hack Days. Sklyarov. Vulnerabilities in the Systems of Authenticity ...Positive Hack Days. Sklyarov. Vulnerabilities in the Systems of Authenticity ...
Positive Hack Days. Sklyarov. Vulnerabilities in the Systems of Authenticity ...
Positive Hack Days
 
Networking lab
Networking labNetworking lab
Networking lab
Ragu Ram
 
IMS Authentication with AKAv1 and AKAv2
IMS Authentication with AKAv1 and AKAv2 IMS Authentication with AKAv1 and AKAv2
IMS Authentication with AKAv1 and AKAv2
mohammad norozzudegan
 
4.1.1.10 Packet Tracer - Configuring Extended ACLs Scenario 1.pdf
4.1.1.10 Packet Tracer - Configuring Extended ACLs Scenario 1.pdf4.1.1.10 Packet Tracer - Configuring Extended ACLs Scenario 1.pdf
4.1.1.10 Packet Tracer - Configuring Extended ACLs Scenario 1.pdf
ssuserf7cd2b
 
4.1.1.10 packet tracer configuring extended ac ls scenario 1
4.1.1.10 packet tracer configuring extended ac ls scenario 14.1.1.10 packet tracer configuring extended ac ls scenario 1
4.1.1.10 packet tracer configuring extended ac ls scenario 1
mps125
 
Client server
Client serverClient server
Client server
maryam1231
 
Arduino-based-diag OBD-II_programação.pdf
Arduino-based-diag OBD-II_programação.pdfArduino-based-diag OBD-II_programação.pdf
Arduino-based-diag OBD-II_programação.pdf
Jcradio Vw
 
Arduino-based-diag OBD-II_programação.pdf
Arduino-based-diag OBD-II_programação.pdfArduino-based-diag OBD-II_programação.pdf
Arduino-based-diag OBD-II_programação.pdf
Jcradio Vw
 

Similar to [cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulation and Scanning by Takahiro Haruyama (20)

IPAddressing .pptx
IPAddressing .pptxIPAddressing .pptx
IPAddressing .pptx
 
Microsoft Offical Course 20410C_05
Microsoft Offical Course 20410C_05Microsoft Offical Course 20410C_05
Microsoft Offical Course 20410C_05
 
Your app lives on the network - networking for web developers
Your app lives on the network - networking for web developersYour app lives on the network - networking for web developers
Your app lives on the network - networking for web developers
 
用Raspberry Pi 學Linux I2C Driver
用Raspberry Pi 學Linux I2C Driver用Raspberry Pi 學Linux I2C Driver
用Raspberry Pi 學Linux I2C Driver
 
Opentalk at Large - StS 2005
Opentalk at Large - StS 2005Opentalk at Large - StS 2005
Opentalk at Large - StS 2005
 
Stu t17 a
Stu t17 aStu t17 a
Stu t17 a
 
Nessus scan report using the defualt scan policy - Tareq Hanaysha
Nessus scan report using the defualt scan policy - Tareq HanayshaNessus scan report using the defualt scan policy - Tareq Hanaysha
Nessus scan report using the defualt scan policy - Tareq Hanaysha
 
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
 
4.1.1.10 Packet Tracer - Configuring Extended ACLs Scenario 1 Instructor (1).pdf
4.1.1.10 Packet Tracer - Configuring Extended ACLs Scenario 1 Instructor (1).pdf4.1.1.10 Packet Tracer - Configuring Extended ACLs Scenario 1 Instructor (1).pdf
4.1.1.10 Packet Tracer - Configuring Extended ACLs Scenario 1 Instructor (1).pdf
 
05 module managing your network enviornment
05 module managing your network enviornment05 module managing your network enviornment
05 module managing your network enviornment
 
Positive Hack Days. Sklyarov. Vulnerabilities in the Systems of Authenticity ...
Positive Hack Days. Sklyarov. Vulnerabilities in the Systems of Authenticity ...Positive Hack Days. Sklyarov. Vulnerabilities in the Systems of Authenticity ...
Positive Hack Days. Sklyarov. Vulnerabilities in the Systems of Authenticity ...
 
Networking lab
Networking labNetworking lab
Networking lab
 
IMS Authentication with AKAv1 and AKAv2
IMS Authentication with AKAv1 and AKAv2 IMS Authentication with AKAv1 and AKAv2
IMS Authentication with AKAv1 and AKAv2
 
Lab telematicos
Lab telematicosLab telematicos
Lab telematicos
 
Lab telematicos
Lab telematicosLab telematicos
Lab telematicos
 
4.1.1.10 Packet Tracer - Configuring Extended ACLs Scenario 1.pdf
4.1.1.10 Packet Tracer - Configuring Extended ACLs Scenario 1.pdf4.1.1.10 Packet Tracer - Configuring Extended ACLs Scenario 1.pdf
4.1.1.10 Packet Tracer - Configuring Extended ACLs Scenario 1.pdf
 
4.1.1.10 packet tracer configuring extended ac ls scenario 1
4.1.1.10 packet tracer configuring extended ac ls scenario 14.1.1.10 packet tracer configuring extended ac ls scenario 1
4.1.1.10 packet tracer configuring extended ac ls scenario 1
 
Client server
Client serverClient server
Client server
 
Arduino-based-diag OBD-II_programação.pdf
Arduino-based-diag OBD-II_programação.pdfArduino-based-diag OBD-II_programação.pdf
Arduino-based-diag OBD-II_programação.pdf
 
Arduino-based-diag OBD-II_programação.pdf
Arduino-based-diag OBD-II_programação.pdfArduino-based-diag OBD-II_programação.pdf
Arduino-based-diag OBD-II_programação.pdf
 

More from CODE BLUE

[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
CODE BLUE
 
[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl
CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
CODE BLUE
 
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman [cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
CODE BLUE
 
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
CODE BLUE
 
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka [cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
CODE BLUE
 
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
CODE BLUE
 
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
CODE BLUE
 
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
CODE BLUE
 
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
CODE BLUE
 
[cb22] What I learned from the direct confrontation with the adversaries who ...
[cb22] What I learned from the direct confrontation with the adversaries who ...[cb22] What I learned from the direct confrontation with the adversaries who ...
[cb22] What I learned from the direct confrontation with the adversaries who ...
CODE BLUE
 
[cb22] SMARTIAN: Enhancing Smart Contract Fuzzing with Static and Dynamic Da...
[cb22] SMARTIAN: Enhancing Smart Contract Fuzzing with Static and Dynamic Da...[cb22] SMARTIAN: Enhancing Smart Contract Fuzzing with Static and Dynamic Da...
[cb22] SMARTIAN: Enhancing Smart Contract Fuzzing with Static and Dynamic Da...
CODE BLUE
 
[cb22] Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once ...
[cb22] Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once ...[cb22] Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once ...
[cb22] Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once ...
CODE BLUE
 
[cb22] Lets Dance in the Cache Destabilizing Hash Table on Microsoft IIS by O...
[cb22] Lets Dance in the Cache Destabilizing Hash Table on Microsoft IIS by O...[cb22] Lets Dance in the Cache Destabilizing Hash Table on Microsoft IIS by O...
[cb22] Lets Dance in the Cache Destabilizing Hash Table on Microsoft IIS by O...
CODE BLUE
 

More from CODE BLUE (20)

[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
 
[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
 
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman [cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
 
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
 
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka [cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
 
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
 
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
 
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
 
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
 
[cb22] What I learned from the direct confrontation with the adversaries who ...
[cb22] What I learned from the direct confrontation with the adversaries who ...[cb22] What I learned from the direct confrontation with the adversaries who ...
[cb22] What I learned from the direct confrontation with the adversaries who ...
 
[cb22] SMARTIAN: Enhancing Smart Contract Fuzzing with Static and Dynamic Da...
[cb22] SMARTIAN: Enhancing Smart Contract Fuzzing with Static and Dynamic Da...[cb22] SMARTIAN: Enhancing Smart Contract Fuzzing with Static and Dynamic Da...
[cb22] SMARTIAN: Enhancing Smart Contract Fuzzing with Static and Dynamic Da...
 
[cb22] Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once ...
[cb22] Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once ...[cb22] Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once ...
[cb22] Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once ...
 
[cb22] Lets Dance in the Cache Destabilizing Hash Table on Microsoft IIS by O...
[cb22] Lets Dance in the Cache Destabilizing Hash Table on Microsoft IIS by O...[cb22] Lets Dance in the Cache Destabilizing Hash Table on Microsoft IIS by O...
[cb22] Lets Dance in the Cache Destabilizing Hash Table on Microsoft IIS by O...
 

Recently uploaded

Acorn Recovery: Restore IT infra within minutes
Acorn Recovery: Restore IT infra within minutesAcorn Recovery: Restore IT infra within minutes
Acorn Recovery: Restore IT infra within minutes
IP ServerOne
 
Doctoral Symposium at the 17th IEEE International Conference on Software Test...
Doctoral Symposium at the 17th IEEE International Conference on Software Test...Doctoral Symposium at the 17th IEEE International Conference on Software Test...
Doctoral Symposium at the 17th IEEE International Conference on Software Test...
Sebastiano Panichella
 
Getting started with Amazon Bedrock Studio and Control Tower
Getting started with Amazon Bedrock Studio and Control TowerGetting started with Amazon Bedrock Studio and Control Tower
Getting started with Amazon Bedrock Studio and Control Tower
Vladimir Samoylov
 
Bitcoin Lightning wallet and tic-tac-toe game XOXO
Bitcoin Lightning wallet and tic-tac-toe game XOXOBitcoin Lightning wallet and tic-tac-toe game XOXO
Bitcoin Lightning wallet and tic-tac-toe game XOXO
Matjaž Lipuš
 
0x01 - Newton's Third Law: Static vs. Dynamic Abusers
0x01 - Newton's Third Law: Static vs. Dynamic Abusers0x01 - Newton's Third Law: Static vs. Dynamic Abusers
0x01 - Newton's Third Law: Static vs. Dynamic Abusers
OWASP Beja
 
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdfBonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
khadija278284
 
somanykidsbutsofewfathers-140705000023-phpapp02.pptx
somanykidsbutsofewfathers-140705000023-phpapp02.pptxsomanykidsbutsofewfathers-140705000023-phpapp02.pptx
somanykidsbutsofewfathers-140705000023-phpapp02.pptx
Howard Spence
 
Announcement of 18th IEEE International Conference on Software Testing, Verif...
Announcement of 18th IEEE International Conference on Software Testing, Verif...Announcement of 18th IEEE International Conference on Software Testing, Verif...
Announcement of 18th IEEE International Conference on Software Testing, Verif...
Sebastiano Panichella
 
Obesity causes and management and associated medical conditions
Obesity causes and management and associated medical conditionsObesity causes and management and associated medical conditions
Obesity causes and management and associated medical conditions
Faculty of Medicine And Health Sciences
 
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
Orkestra
 
Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...
Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...
Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...
OECD Directorate for Financial and Enterprise Affairs
 
International Workshop on Artificial Intelligence in Software Testing
International Workshop on Artificial Intelligence in Software TestingInternational Workshop on Artificial Intelligence in Software Testing
International Workshop on Artificial Intelligence in Software Testing
Sebastiano Panichella
 
Eureka, I found it! - Special Libraries Association 2021 Presentation
Eureka, I found it! - Special Libraries Association 2021 PresentationEureka, I found it! - Special Libraries Association 2021 Presentation
Eureka, I found it! - Special Libraries Association 2021 Presentation
Access Innovations, Inc.
 

Recently uploaded (13)

Acorn Recovery: Restore IT infra within minutes
Acorn Recovery: Restore IT infra within minutesAcorn Recovery: Restore IT infra within minutes
Acorn Recovery: Restore IT infra within minutes
 
Doctoral Symposium at the 17th IEEE International Conference on Software Test...
Doctoral Symposium at the 17th IEEE International Conference on Software Test...Doctoral Symposium at the 17th IEEE International Conference on Software Test...
Doctoral Symposium at the 17th IEEE International Conference on Software Test...
 
Getting started with Amazon Bedrock Studio and Control Tower
Getting started with Amazon Bedrock Studio and Control TowerGetting started with Amazon Bedrock Studio and Control Tower
Getting started with Amazon Bedrock Studio and Control Tower
 
Bitcoin Lightning wallet and tic-tac-toe game XOXO
Bitcoin Lightning wallet and tic-tac-toe game XOXOBitcoin Lightning wallet and tic-tac-toe game XOXO
Bitcoin Lightning wallet and tic-tac-toe game XOXO
 
0x01 - Newton's Third Law: Static vs. Dynamic Abusers
0x01 - Newton's Third Law: Static vs. Dynamic Abusers0x01 - Newton's Third Law: Static vs. Dynamic Abusers
0x01 - Newton's Third Law: Static vs. Dynamic Abusers
 
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdfBonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
 
somanykidsbutsofewfathers-140705000023-phpapp02.pptx
somanykidsbutsofewfathers-140705000023-phpapp02.pptxsomanykidsbutsofewfathers-140705000023-phpapp02.pptx
somanykidsbutsofewfathers-140705000023-phpapp02.pptx
 
Announcement of 18th IEEE International Conference on Software Testing, Verif...
Announcement of 18th IEEE International Conference on Software Testing, Verif...Announcement of 18th IEEE International Conference on Software Testing, Verif...
Announcement of 18th IEEE International Conference on Software Testing, Verif...
 
Obesity causes and management and associated medical conditions
Obesity causes and management and associated medical conditionsObesity causes and management and associated medical conditions
Obesity causes and management and associated medical conditions
 
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
 
Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...
Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...
Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...
 
International Workshop on Artificial Intelligence in Software Testing
International Workshop on Artificial Intelligence in Software TestingInternational Workshop on Artificial Intelligence in Software Testing
International Workshop on Artificial Intelligence in Software Testing
 
Eureka, I found it! - Special Libraries Association 2021 Presentation
Eureka, I found it! - Special Libraries Association 2021 PresentationEureka, I found it! - Special Libraries Association 2021 Presentation
Eureka, I found it! - Special Libraries Association 2021 Presentation
 

[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulation and Scanning by Takahiro Haruyama

  • 1. Tracking the entire iceberg - long-term APT malware C2 protocol emulation and scanning
  • 2. Who am I? @cci_forensics Past Research CB 2022
  • 5. Target Summary Winnti 4.0 ShadowPad Prevalence Low High First-observed year 2016 (start-up sequence), 2018 (new C2 protocol) 2015 Scanning start year 2019 2021 Supported protocols TCP/TLS/HTTP(S)/ UDP TCP/SSL/HTTP(S)/ UDP/DNS Unique feature Server-mode Multiple protocol listening at a single port
  • 8. Winnti Malware 4.0 Macnica Networks version 4.0 CB 2022 Version 3.0 Version 4.0 Initial component Dropper Loader and DAT file Initial encryption algorithm DES AES Initial encryption key cracking Easy Hard Worker encryption 1-byte XOR and nibble swap DPAPI or AES with host- specific key
  • 9. Winnti Malware 4.0 (Cont.) CB 2022 struct struc_work_config { char campaignID[64]; char MAC_addr[6]; int c2_proto; // enum_proto ... } enum enum_proto { none = 0x0, TCP = 0x1, HTTP = 0x2, HTTPS = 0x3, TLS = 0x4, UDP = 0x5, };
  • 11. Packet Format CB 2022 struct struc_custom_header { __int16 temp_key_seed; __int16 unk_word; // initial value is 2 __int16 signature; // 0x45DB int payload_len; }; struct struc_custom_payload_init { int payload_type; // request:0xEE775BAA/0x4563CEFA/0x5633CBAD, response:0xFACEB007/0x5633CBAD int unk_dword; // request:0, response:0xC350/0xC352 GUID guid; char null_bytes[14]; __int16 seq_num; // starting from 1 __int16 null_word; };
  • 13. HTTP Protocol CB 2022 Customized packet Customized packet size
  • 14. HTTP: Size Calculation from Cookie Value CB 2022 $ python validate_cookie.py 640ABEFB16D2CE36E7E83E1B8BEF31B2500ABEFB dw0=0xfbbe0a64, dw1=0x36ced216, dw2=0x1b3ee8e7, dw3=0xb231ef8b, dw4=0xfbbe0a50 The cookie value validated. dword key = 0x34
  • 15. HTTP: Dummy Data in GET Request CB 2022 Size = 0 Size = 0
  • 16. Behavior After the Initial Handshake CB 2022 struct struc_nested_payload // at least 0x14 bytes { // e.g., cmd_ID=5 & dispatch_ID=1 order to send victim info __int16 cmd_ID; __int16 dispatch_ID; ... int additional_data_len; struc_data_cmd1 additional_data; // flexible size }; struct struc_custom_payload_next { __int16 messageID; ... __int16 signature; // 0x45db int nested_payload_len; struc_nested_payload nested_payload; };
  • 17. Scanner Implementation CB 2022 ZMap • Internet-wide port scan • TCP 443 & 80 • UDP 443 & 53 (customized packet required) Stand-alone Python Script • HTTP(S): Decode and Validate Cookie value • Others: Get suspicious responses with the same size and different key IDAPython AppCall • Decrypt response’s customized packet • Validate signature and payload size in the header
  • 18. How to Differentiate Server-mode Infections and C2 Servers [DEBUG] server header: unknown word = 0x2, header signature = 0x45db, payload length = 0x2a [*] server payload: payload type = 0xfaceb007, unknown dword = 0xc352, GUID = 0b8212dc- e364-4c18-ac0b-26382beb1387, sequence number = 2 [DEBUG] server header: unknown word = 0x2, header signature = 0x45db, payload length = 0x2a [*] server payload: payload type = 0xfaceb007, unknown dword = 0x0, GUID = 00000000-0000- 0000-0000-000000000000, sequence number = 1 Server-mode: the same GUID as client, sequence number incremented C2: null GUID, sequence number reset CB 2022
  • 19. Result: Population by Protocol CB 2022 TLS 35% HTTPS 29% HTTP 20% TCP 11% UDP 5% TLS HTTPS HTTP TCP UDP
  • 21. Public Reports Related to Winnti 4.0 C2s Trellix Recorded Future CB 2022
  • 24. C2 Protocol TCP HTTP(S)/UDP Key size 4 2 Header size 0x14 8 Payload size in the initial handshake packet Up to 0x3F HTTP(S): Up to 0x1F, UDP: 0x10 CB 2022
  • 25. C2 Protocol (Cont.) CB 2022 Variant name C2 protocol Config size Attribution Source Variant1 (aka ScatterBee) TCP/UDP 0x896 APT41 Positive Technologies Variant2 HTTP(S) 0x85C Tonto Team ESET Variant3 HTTP(S) 0x85C unknown Positive Technologies
  • 26. TCP Protocol QuickLZ CB 2022 struct struc_common_header { int session_key; int plugin_and_cmd_id; // plugin_id (0x68) << 16 + cmd_id (0x51) byVariant1 int module_code; // 0 int payload_size_compressed; // QuickLZ int payload_size_original; };
  • 28. HTTP(S) and UDP Protocols CB 2022 struct struc_proto_header { __int16 session_key; __int16 type; // 0 in HTTP, req=0x1001/res=(0x2002|0x5005) in UDP __int16 session_src_id; // random 2 bytes, generated by both client/server __int16 session_dst_id; // req=0, res=client's session_src_id };
  • 29. HTTP(S) and UDP Protocols (Cont.) CB 2022 UDP packet encoding byVariant1 HTTP(S) packet encoding byVariant2 HTTP(S) packet encoding byVariant3
  • 30. HTTP(S) and UDP Protocols (Cont.) CB 2022 struc_proto_header payload = TCP packet struc_common_header QuickLZ-compressed payload
  • 31. Scanner Implementation CB 2022 Scanning start period Target protocol/port/variant September 2021 HTTP/443 (Variant2 &Variant3) October 2021 TCP/443 & UDP/53 (Variant1) June 2022 UDP/443 (Variant1), HTTP/80 (Variant3)
  • 32. Scanner Implementation (Cont.) CB 2022 ZMap • Internet-wide port scan • Targets as mentioned previously Stand-alone Python Script • Decode the response packet • Validate the decoded values • TCP: payload size fields • HTTP(S)/UDP: type and session_dst_id
  • 33. Multiple Protocol Listening at a Single Port CB 2022 [*] config size = 0x85c .. [+] C2 Entry 0 (offset 0xbc): 'HTTPS://wwa1we.wbew.amazon-corp.wikaba.com:443' [+] C2 Entry 1 (offset 0xed): 'HTTP://wwa1we.wbew.amazon-corp.wikaba.com:443' .. SHA256: d011130defd8b988ab78043b30a9f7e0cada5751064b3975a19f4de92d2c0025 Hostname/port matched
  • 34. Multiple Protocol Listening at a Single Port (Cont.) CB 2022 $ ./c2fs.py -d -l corpus/query.txt -p 443 -f sp httpVariant2 .. [*] malware options: family = ShadowPad; targeted protocol = http (version =Variant2) [*] ShadowPad specific options: version =Variant2; key size = 2; key endian = big; header size = 0x8; header type = 0x0; client session ID = 53978 [D] POST: http://137.220.185.203:443/ (proxy={}, stream=True, timeout=30) [+] 137.220.185.203,active,client session ID matched (type=0x0) .. $ ./c2fs.py -d -l corpus/query.txt -p 443 -f sp httpsVariant2 .. [*] malware options: family = ShadowPad; targeted protocol = https (version =Variant2) [*] ShadowPad specific options: version =Variant2; key size = 2; key endian = big; header size = 0x8; header type = 0x0; client session ID = 52256 [D] POST: https://137.220.185.203:443/ (proxy={}, stream=True, timeout=30) [+] 137.220.185.203,active,client session ID matched (type=0x0)
  • 35. Result: Population by Variant CB 2022 Variant1 48% Variant3 42% Variant2 10% Variant1 Variant3 Variant2
  • 37. Samples Communicating with C2 IPs CB 2022 Sample Malware family C2 IP address C2 Protocol/Port used by sample Sample submission date on VT C2 first-seen date by scanner C2 last-seen date by scanner Spyder 156.240.104.149 TLS/443 2021/10/26 2021/10/16 2021/10/16 ReverseWindow 43.129.188.223 TCP/10333 2022/02/27 2021/10/17 2022/10/04 ShadowPad 213.59.118.124 UDP/443 2022/03/20 2022/03/06 2022/09/27
  • 38. Spyder & Winnti 4.0: Code Similarity CB 2022 Spyder Winnti 4.0 Worker
  • 39. Spyder & Winnti 4.0: Command IDs CB 2022 Command Spyder Winnti 4.0Worker tag id cmd_ID dispatch_ID Verify the client 1 1 1 1 Send victim information 5 3 5 1 Send plugins information 6 1 6 9 or 13 Save plugin parameters 6 2 6 2 Save plugin data 6 3 6 3 Load and run plugin entrypoint and export function #1 6 4 6 6 Run plugin export function #4 and unload the plugin 6 5 6 7
  • 40. Spyder & Winnti 4.0: Command IDs (Cont.) CB 2022 Command Spyder Winnti 4.0Worker tag id cmd_ID dispatch_ID Heartbeat 6 6 6 8 Run plugin export function #2 6 7 6 10 Run plugin export function #3 6 8 6 11 Send current connection information 7 2 - (no command) - Run function pointer of the 2nd parameter obtained by running export function #1 11 - 11 -
  • 41. Spyder & Winnti 4.0: Comparison CB 2022 Spyder Winnti 4.0 Payload encoding / encryption single-byte XOR AES in CTR mode (key given as a cmdline argument) C2 Protocol TLS TCP/TLS/HTTP(S)/UDP Server-mode support No Yes 3rd-party library uthash, Mbed TLS uthash Reported year 2020 2019
  • 42. Incident Response Case Triggered by Discovered C2 CB 2022
  • 44. How to Get Input (Port Scan) Data scanning target ports CB 2022 ZMap Shodan CenSys TCP/10333 4,940,037 4 1,306 TCP/55555 3,199,856 86 486,497 Note: The data was collected in 2021/11
  • 45. Anonymization CB 2022 Tor Commercial VPN service Cost Free Non-free Supported protocols TCP TCP/UDP Risk of being blocked High Low
  • 48. Anti-Scanning Techniques: Cobalt Strike (Cont.) blocked CB 2022
  • 50. Pros and Cons of Research Publication in Cobalt Strike Case JSAC 2021 CB 2022
  • 51. Research Publication Merits: Stopping MS Azure domain fronting stated CB 2022 Source: Exposing Malware in Linux-Based Multi-Cloud Environments
  • 52. Research Publication Merits: Stopping Ongoing Attack Campaign CB 2022 Source: Exposing Malware in Linux-Based Multi-Cloud Environments
  • 54. Research Publication Demerits: Threat Actor’s Reaction APT41 CB 2022 Protocol/Port Stager-disabled/Total in Sep 2021 Stager-disabled/Total in Jul 2022 HTTP/80 217/559 (38%) 208/387 (53%) HTTPS/443 210/928 (22%) 206/431 (47%) DNS/53 46/150 (30%) 51/51 (100%) Change in the result of a single scan
  • 58. Indicators of Compromise CB 2022 Indicator Type Context 0a3279bb86ff0de24c2a4b646f24ffa196ee639cc23c64a 044e20f50b93bda21 SHA256 Winnti 4.0 dat file 03b7b511716c074e9f6ef37318638337fd7449897be99 9505d4a3219572829b4 SHA256 ShadowPad Variant1 aef610b66b9efd1fa916a38f8ffea8b988c20c5deebf4db8 3b6be63f7ada2cc0 SHA256 ShadowPad Variant2 d011130defd8b988ab78043b30a9f7e0cada5751064b3 975a19f4de92d2c0025 SHA256 ShadowPad Variant3 1ded9878f8680e1d91354cbb5ad8a6960efd6ddca2da1 57eb4c1ef0f0430fd5f SHA256 Spyder communicating with the ShadowPad C2 (156.240.104.149) 536def339fefa0c259cf34f809393322cdece06fc4f2b37f 06136375b073dff3 SHA256 ReverseWindow communicating with the ShadowPad C2 (43.129.188.223) 9447b75af497e5a7f99f1ded1c1d87c53b5b59fce224a3 25932ad55eef9e0e4a SHA256 ShadowPad Variant1 communicating with the ShadowPad C2 (213.59.118.124)