SlideShare a Scribd company logo

Formbook - In-depth malware analysis (Botconf 2018)

R
Rémi Jullian

Slides related to my talk about formbook malware, presented at Botconf 2018.

Technology
1 of 56
Download to read offline
FORMBOOKFORMBOOKIn-depth malware analysisIn-depth malware analysis 1
Malware Analyst at Stormshield (1+ year) Previously Intrusion Detection Engineer at ANSSI (4 years)   ~/$ whoami~/$ whoami Rémi JullianRémi Jullian Interested in reverse-engineering, vulnerability exploitation, threat- intelligence, software developement, ... @netsecurity1 https://blog.remijullian.fr 2
AgendaAgenda Formbook overview Anti-analysis tricks Code injection and process hollowing Userland hooks Keylogger Password harvesting C&C Network protocol 3
Formbook overviewFormbook overview 4 . 1
Form-grabber / password-stealerForm-grabber / password-stealer Target 92 different applications Inject code in targeted applications in order to: Intercept network requests Implement a key-logger Harvest users' application passwords Take screenshots Execute C&C commands 4 . 2
Web-BrowsersWeb-Browsers Mail clients, FTP clients, IM appsMail clients, FTP clients, IM apps Formbook targeted applicationsFormbook targeted applications 4 . 3
Malware As A ServiceMalware As A Service Ready-to-use malware sold/rent directly by the developerReady-to-use malware sold/rent directly by the developer Used to be sold on hackforums[.]net by 'ng-Coder' There is no builder available Customers get their own .exe and web-based panel access 4 . 4
Formbook distributionFormbook distribution 4 . 5
Formbook distributionFormbook distribution 4 . 6
Anti-analysis tricksAnti-analysis tricks 5 . 1
Stack-strings obfuscation Strings encryption schema Strings obfuscation and encryptionStrings obfuscation and encryption 5 . 2
Hashes are used to: Perform dynamic import function by hash Check for blacklisted running processes Check for blacklisted loaded modules by module path by module name Check for blacklisted usernames Check for targeted applications Strings hashingStrings hashing Formbook uses the BZip2 CRC32 hash function  10 0xbf0a5e41 LdrLoadDll 11 0x2902d074 KiFastSystemCal 12 0xf653b199 NtCreateProcess .. 79 0x3ebe9086 vmwareuser.exe 80 0x4c6fddb5 vmwareservice.ex .. 99 0x6484bcb5 cuckoo 100 0x11fc2f72 sandcastle .. 106 0xed297eae cuckoo 107 0xa88492a6 sandbox- .. 113 0xb4e1ae2 ntdll.dll 114 0x24a48dcf guard32.dll 115 0xe11da208 SbieDll.dll .. .. 120 0x9e01fc32 iexplore.exe 121 0x216500c2 firefox.exe List of hashes and related strings 5 . 3
Strings hashes recoveringStrings hashes recovering We wrote a python module named  We also used FireEye's plugin MalwareHash from malware_hash import MalwareHash import binascii mh = MalwareHash(binascii.crc32) # user-defined hash func string_list = mh.get_strings_by_hash(0x77ae10f7) print(string_list) # ['u'wireshark.exe] .. "sandbox_tools":[ "python.exe", "py.exe", "perl.exe", "ruby.exe", "joeboxserver.exe", "joeboxcontrol.exe" ], .. hash_sources.json .. "dump_files.net":[ "a.exe", "a0380mon.exe", "a1dashboard_launcher.exe", "a1dashboard_service.exe", "a1diagnose.exe", "a2adguard.exe", .. ], files_net.json shellcode_hashes 5 . 4
Data encryptionData encryption Formbook uses 'encrypted buffers' stored in the .text sectionFormbook uses 'encrypted buffers' stored in the .text section Schema from Arbor Network analysis 5 . 5
2 decryption functions Example of encrypted buffersExample of encrypted buffers BZip2 CRC32 hashes' array Array of various strings Array of PE images file name The C&C server's URI x86 and x64 instructions Data encryptionData encryption 5 . 6
Manually mapping of NTDLLManually mapping of NTDLL Ntdll exposes the native API used to call system services It is frequently monitored by security solutions Cuckoo sandbox monitors function calls with inline hooks Malware analysts set breakpoints on ntdll.dll related functions Formbook manually maps its own copy of ntdll.dll 5 . 7
ntdll.dll loaded by the Windows loader ntdll.dll manually loaded by Formbook Manually mapping of NTDLLManually mapping of NTDLL Disassembly of NtAdjustPrivilegesToken (WOW64) 5 . 8
Manually mapping of NTDLLManually mapping of NTDLL ntdll.dll loaded by the Windows loaderntdll.dll loaded by the Windows loader ntdll.dll manually loaded by formbookntdll.dll manually loaded by formbook BaseAddr EndAddr+1 RgnSize Type State Protect ------------------------------------------------------------------------ 77c30000 77c31000 1000 MEM_IMAGE MEM_COMMIT PAGE_READONLY 77c31000 77c40000 f000 MEM_IMAGE MEM_RESERVE 77c40000 77d16000 d6000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ 77d16000 77d20000 a000 MEM_IMAGE MEM_RESERVE 77d20000 77d21000 1000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ 77d21000 77d30000 f000 MEM_IMAGE MEM_RESERVE 77d30000 77d31000 1000 MEM_IMAGE MEM_COMMIT PAGE_READWRITE 77d31000 77d32000 1000 MEM_IMAGE MEM_COMMIT PAGE_READONLY 77d32000 77d33000 1000 MEM_IMAGE MEM_COMMIT PAGE_READWRITE 77d33000 77d34000 1000 MEM_IMAGE MEM_COMMIT PAGE_WRITECOPY 77d34000 77d39000 5000 MEM_IMAGE MEM_COMMIT PAGE_READWRITE 77d39000 77d40000 7000 MEM_IMAGE MEM_RESERVE 77d40000 77d97000 57000 MEM_IMAGE MEM_COMMIT PAGE_READONLY 77d97000 77da0000 9000 MEM_IMAGE MEM_RESERVE 77da0000 77da5000 5000 MEM_IMAGE MEM_COMMIT PAGE_READONLY 77da5000 77db0000 b000 MEM_IMAGE MEM_RESERVE BaseAddr EndAddr+1 RgnSize Type State Protect ------------------------------------------------------------------------ 00800000 00b03000 303000 MEM_PRIVATE MEM_COMMIT PAGE_EXECUTE_READWRITE 5 . 9
Loading additional DLLsLoading additional DLLs Empty Import Directory TableEmpty Import Directory Table Likely suggest dynamic function importing Additional DLLs are loaded using ntdll!LdrLoadDll5 . 10
Dynamic function importingDynamic function importing Formbook can import functions byFormbook can import functions by Name Function ordinal Function name's hash (BZip2 CRC32) 5 . 11
ntdll.dll - 32 bits (in WOW64)ntdll.dll - 32 bits (in WOW64) ntdll.dll - 64 bitsntdll.dll - 64 bits WOW64 (Windows 32 bit On Windows 64 bit)WOW64 (Windows 32 bit On Windows 64 bit) In WOW64 mode, Windows loads 2 versions of ntdll.dll 32-bits from %windir%SysWOW64 64-bits from %windir%System32 0:002> u ntdll!NtCreateFile ntdll!ZwCreateFile: 77c500a4 mov eax,52h 77c500a9 xor ecx,ecx 77c500ab lea edx,[esp+4] ; fs:[0xc0] points to TEB.WOW32Reserved 77c500af call dword ptr fs:[0C0h] 77c500b6 add esp,4 77c500b9 ret 2Ch 0:002> u ntdll!NtCreateFile ntdll!ZwCreateFile: 00000000773b1860 mov r10,rcx 00000000773b1863 mov eax,52h ; Invokes an OS system-call handler 00000000773b1868 syscall 00000000773b186a ret 5 . 12
Without Wow32Reserved hookWithout Wow32Reserved hook With Wow32Reserved hookWith Wow32Reserved hook Check for WOW32Reserved hookCheck for WOW32Reserved hook Formbook checks if WOW32Reserved points to a 64-bit DLLFormbook checks if WOW32Reserved points to a 64-bit DLL OllyDbg Stealth64 plugin uses Wow32Reserved hooks Use ntdll!NtQueryVirtualMemory to get the base address Check if a 64-bit DLL is mapped at the base address 0:000> dt ntdll!_TEB WOW32Reserved @$teb ; Points to wow64cpu.dll (64-bit DLL) +0x0c0 WOW32Reserved : 0x74362320 Void 0:000> u 0x74362320 L1 ; Switch from x86 to x64 mode (Heaven Gate) 74362320 ea1e2736743300 jmp 0033:7436271E 0:000> dt ntdll!_TEB WOW32Reserved @$teb ; Points on a dynamically allocated block +0x0c0 WOW32Reserved : 0x73c72320 Void 0:000> u 0x73c72320 L1 ; Jmp on a dynamically allocated block of me 73c72320 e9ebdc320b jmp 7efa0010 [VB-2009-05] 5 . 13
ntdll!NtQuerySystemInformationntdll!NtQuerySystemInformation SystemKernelDebuggerInformation Ring-0 debugger ProcessDebugPort Ring-3 debugger Check for a debuggerCheck for a debugger Reading the PEBReading the PEB typedef struct _PEB { BYTE Reserved1[2]; BYTE BeingDebugged; BYTE Reserved2[1]; PVOID Reserved3[2]; PPEB_LDR_DATA Ldr; .. .. } PEB, *PPEB; 5 . 14
Check for inline hooksCheck for inline hooks 5 . 15
1. WOW32 Reserved hook 2. Software debugger 3. Kernel debugger 4. Blacklisted base file name 5. Blacklisted username 6. Blacklisted username 7. Blacklisted loaded module path 8. Blacklisted loaded module path 9. Blacklisted running process 10. Blacklisted running process 11. Blacklisted loaded DLL Checking anti-analysis tests resultsChecking anti-analysis tests results 5 . 16
Code injection and processCode injection and process hollowinghollowing 6 . 1
Process hollowing overviewProcess hollowing overview Used to migrate to a Windows like process Formbook code is mapped in explorer.exe APC injection or thread hijacking targets explorer.exe explorer.exe creates a new (suspended) process Formbook migrates to this process 6 . 2
Process hollowing schema 1. Map a copy of itself within explorer' address space formbook.exe explorer.exe formbook.exe 2. Hijack explorer's main thread svchost.exe 3. Create a geniune microsoft suspended process formbook.exe6. Map of copy of itself within newly created process 7. Patch process entry point instructions and resume process 5. Retreive newly created process information 4. Restore explorer's saved instruction pointer 1. NtOpenProcess(), NtCreateSection(), NtMapViewOfSection() 2. NtOpenThread(), NtSuspendThread(), NtGetThreadContext(), NtSetThreadContext(), NtResumeThread() 3. CreateProcessInternalW() 4. ret instruction to saved CONTEXT.Eip 5. NtReadVirtualMemory() 6. NtOpenProcess(), NtMapViewOfSection() 7. NtOpenThread(), NtResumeThread() Stage 1 Stage 3 Stage 2 6 . 3
Process hollowing summaryProcess hollowing summary Formbook is now looking like a geniune Microsoft process It's original process has exited explorer.exe now contains formbook's code (dead code) New formbook process can now inject targeted applications 6 . 4
Targeted processes injection overviewTargeted processes injection overview Formbook code is mapped in targeted processes Targeted processes main thread is hijacked Inline userland hooks are setup during hijacked thread execution No new thread created ! 6 . 5
Targeted process injection schema firefox.exe formbook.exe svchost.exe formbook.exe 1. NtOpenProcess(), NtCreateSection(), NtMapViewOfSection() 2. NtOpenThread(), NtSuspendThread(), NtGetThreadContext(), NtSetThreadContext(), NtResumeThread() 3. NtProtectVirtualMemory() 4. ret instruction to saved CONTEXT.Eip Stage 3 Targeted process 1. Map a copy of itself within firefox process' address space 2. Hijack firefox's main thread nss3.dll 3. Setup userland inline hooks 4. Restore firefox's saved instruction pointer 6 . 6
Userland hooksUserland hooks 7 . 1
What's a userland hook ?What's a userland hook ? Mechanism used to hijack the control flow of targeted functions Each targeted function has its own detour function Targeted functions parameters can be read (and modified) Interesting targets for formbook: Encryption functions Networking functions Keyboard input related functions Formbook uses inline userland hooks 7 . 2
WSASend - x86WSASend - x86 PR_Write - x86PR_Write - x86 WSASend - x64WSASend - x64 PR_Write - x64PR_Write - x64 Inline hooks characteristicsInline hooks characteristics Override the first bytes of targeted functions with a call 32-bits - call near 64-bits - mov rax, imm64; call rax Must handle targeted architecture specifications x86 and x64 instructions length are variable Calling convention changes between x86 and x64 Function's prologue may differ even on the same architecture WS2_32!WSASend: 8bff mov edi,edi 55 push ebp 8bec mov ebp,esp nss3!PR_Write: 55 push ebp 8bec mov ebp,esp 8b4508 mov eax,dword ptr [ebp+8] WS2_32!WSASend: 48895c2408 mov qword ptr [rsp+8],rbx 48896c2410 mov qword ptr [rsp+10h],rbp 4889742418 mov qword ptr [rsp+18h],rsi 48897c2420 mov qword ptr [rsp+20h],rdi nss3!PR_Write: 488b01 mov rax,qword ptr [rcx]; 48ff6018 jmp qword ptr [rax+18h] cc int 3 7 . 3
How inline userland hooks are setup?How inline userland hooks are setup? 1. Retreive the virtual address of the targeted function 2. Disassemble the targeted function prologue 3. Save the instructions altered by the hook 4. Write the trampoline at the end of the detour function 5. Write the call to the detour function 7 . 4
Inline hook targeting PR_Write (nss3.dll) 1 nss3.dll PR_Write: E8 F7 D2 E4 A5 | call formbook_detour_func 4E             | dec esi  FF 75 10       | push dword ptr ss:[ebp+10]   .. .. C3             | retn 3 Formbook section formbook_hook_PR_Write_2: 90 | nop 50 | push eax 8B C4 | mov eax, esp 60 | pusha ; save registers 50 | push eax E8 11 A1 FE FF | call formbook_hook_PR_Write_3 83 C4 04 | add esp, 4 61 | popa ; restore registers 58 | pop eax 83 C4 04 | add esp, 4 C3 | retn .. .. formbook_hook_PR_Write_1: 68 88 88 88 88 | push 0x88888888; patched value E9 4B E1 FF FF | jmp formbook_hook_PR_Write_2 C3             | retn .. .. formbook_detour_func: 83 C4 04       | add esp, 4  E8 7B 03 FF FF | call formbook_hook_PR_Write_1 55             | push ebp 8B EC          | mov ebp, esp 8B 45 08       | mov eax, dword ptr ss:[ebp+8] 46             | inc esi 68 25 E1 EE    | push nss.PR_Write+5 C3             | retn 4 2 saved instructions trampoline 7 . 5
Web-browsers targeted functionsWeb-browsers targeted functions DLL Function Browser Pre-encryption secur32.dll EncryptMessage Yes wininet.dll HttpSendRequestA HttpSendRequestW InternetQueryOptionW Yes nspr4.dll PR_Write Yes nss3.dll PR_Write Yes ws2_32.dll WSASend No 7 . 6
Web-browsers Mail clients, FTP clients, IM apps The entire buffer containing credentials is sent to the C&C server Extract web-browser's User-Agent value for furtive C&C requests Detour functions goalsDetour functions goals Extract credentials from intercepted network requestsExtract credentials from intercepted network requests Search authentication keywords within hooked functions' buffer ['pass', 'token', 'email', 'login', 'signin', 'account', 'persistent'] ['user', 'pass', 'auth', 'login'] 7 . 7
KeyloggerKeylogger 8 . 1
Windows Messaging SystemWindows Messaging System Messages from the window can be retreived with: GetMessage (blocking) PeekMessage (non-blocking) 8 . 2
Functions hookedFunctions hooked GetMessage PeekMessage SendMessage Key-Logger implementationKey-Logger implementation All targeted applications are beeing key-loggedAll targeted applications are beeing key-logged Messages filtered by detour functionMessages filtered by detour function WM_KEYDOWN WM_SYSKEYDOWN WM_LBUTTONDOWN WM_RBUTTONDOWN typedef struct tagMSG { HWND hwnd; UINT message; // The message identifier WPARAM wParam; // The virtual-key code LPARAM lParam; DWORD time; POINT pt; DWORD lPrivate; } MSG, *PMSG, *NPMSG, *LPMSG; 8 . 3
Virtual-key to character translationVirtual-key to character translation Custom virtual-key translationCustom virtual-key translation Virtual-Key Character Printable string 0x1b Escape Key [Esc] 0x12 Alt key [Alt] 0x09 Tab Key [Tab] 0x0d Enter key [Enter] 0x08 Backspace key [<-Del] Non-special charactersNon-special characters ToUnicode() 8 . 4
Key-logger's file writing svchost.exe formbook.exe Targeted process firefox.exe formbook.exe Stage 3 shared memory area Same section mapped in all targeted processes and explorer's process shared memory area Injects targeted processes Explorer process explorer.exe formbook.exe shared memory area Formbook's thread running in explorer's process Reads keystrokes from shared memory area Writes keystrokes to shared memory area Creates thread in explorer's process Keylogger's file Writes into keylogger file 8 . 5
Grabbing clipboard dataGrabbing clipboard data A window uses the clipboard when cutting, copying, or pasting data Mouse clicks events are used to trigger clipboard data extraction WM_LBUTTONDOWN WM_RBUTTONDOWN 8 . 6
Keylogger file Clipboard file Temporary stored in %APPDATA% PREFIX matches regexp [a-zA-Z0-9] Derived from the username and C&C server Key-logger and Clipboard data fileKey-logger and Clipboard data file %APPDATA%RoamingPREFIX{8}PREFIX{3}log.ini %APPDATA%RoamingPREFIX{8}PREFIX{3}logc.ini 8 . 7
Password harvestingPassword harvesting 9 . 1
Firefox Internet Explorer Chrome Opera Thunderbird Outlook Windows Vault Sqlite query targeting Firefox Sqlite query targeting Chrome  Password harvestingPassword harvesting Extract password saved on the filesystemExtract password saved on the filesystem SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_login SELECT origin_url, username_value, password_value FROM logins Browser-dumpwd project 9 . 2
C&C Network ProtocolC&C Network Protocol 10 . 1
C&C network protocol overviewC&C network protocol overview Formbook communicates with its C&C using HTTP requests The C&C server is implemented as a PHP web-application HTTP requests are "hand made" using low-level socket API Beaconing requests (GET) are used to pull C&C commands Exfiltration requests (POST) are used to send stolen data Data is encrypted using RC-4 Key is SHA-1(http.host + http.base_uri) A formbook PCAP can be decrypted without sample o/ 10 . 2
Beaconing requestsBeaconing requests Send by formbook's thread running within explorer's process GET parameter value after base 64 decode and decryption FBNG: 4-bytes magic header C1EACBB4: CRC32 checksum of the user’s SID 3.8: Formbook version Windows 7 Enterprise x64: Operating system YWRtaW4xMjM0: base64 encoded username FBNG:C1EACBB43.8:Windows 7 Enterprise x64:YWRtaW4xMjM0 10 . 3
C&C command in HTTP reply C&C command menu C&C commandsC&C commands Specified within HTTP replies to beaconing requests Server replies 200 OK only if a task has been added with the panel 10 . 4
Type of exfiltrated data Intercepted network requests Password recoveries Keylogged data Clipboard data Screenshots POST parameter value after base 64 decode and decryption dat: base 64 encoded and RC-4 encrypted payload un: base 64 encoded username br: Type of exfiltrated data / Browser id Data exfiltration requestsData exfiltration requests dat=[TRUNC]LNSqnAQI6omSmS~2P0[TRUNC]&un=Ym9tYmVybWFu&br=9 10 . 5
Fake C&C serversFake C&C servers Used to hide the real C&C server during sandbox analysis Randomly selected from the list of encrypted strings Reached as much as the real C&C server 77 f-start 78 spaceship2mars.net 79 streamlinecoach.net .. 103 gbmode.com .. 110 licitatii.site .. 126 monastery-records.com .. 140 daviesadeloye.com 141 msmhhh0opk.com 142 f-end 10 . 6
Formbook PCAP decodingFormbook PCAP decoding Rémi J. @netsecurity1 We released a small python script used to parse #formbook PCAPs containing HTTP requests to C&C. Currently extracting: * Beaconing requests * Intercepted HTML forms * Password Recoveries * Clipboard data * Screenshotgithub.com/ThisIsSecurity… 197 09:31 - 8 oct. 2018 112 personnes parlent à ce sujet 10 . 7
ConclusionConclusion Formbook is widely spread Easily accessible by cyber-criminals Uses a lot of anti-analysis tricks Implements interesting code injection techniques Can steal users' data using various mechanisms 11
ReferencesReferences Previous workPrevious work D. Schwarz, - 09/2017 N. Villeneuve, R. Eitzman, S. Nemes, and T. Dean, - 10/2017 IDA Python script / Formbook PCAP decoderIDA Python script / Formbook PCAP decoder  Formbook sample (3.8)Formbook sample (3.8) The formidable formbook formgrabber Significant formbook distribution campaigns impacting the u.s. and south korea https://github.com/ThisIsSecurity/malware/tree/master/formbook Original sample Unpacked version 12

Recommended

Google Chrome on Android を自動実行
Google Chrome on Android を自動実行Google Chrome on Android を自動実行
Google Chrome on Android を自動実行洋史 東平
 
Web Uygulamalarında Kayank Kod Analizi – II
Web Uygulamalarında Kayank Kod Analizi – IIWeb Uygulamalarında Kayank Kod Analizi – II
Web Uygulamalarında Kayank Kod Analizi – IIMehmet Ince
 
Scada Sistemleri ve Güvenliği
Scada Sistemleri ve GüvenliğiScada Sistemleri ve Güvenliği
Scada Sistemleri ve GüvenliğiAhmet Gürel
 
Web Uygulamalarında Kaynak Kod Analizi - 1
Web Uygulamalarında Kaynak Kod Analizi - 1Web Uygulamalarında Kaynak Kod Analizi - 1
Web Uygulamalarında Kaynak Kod Analizi - 1Mehmet Ince
 
Raspberry pi led blink
Raspberry pi led blinkRaspberry pi led blink
Raspberry pi led blinkvishal choudhary
 
Sızma Testlerinde Armitage Kullanımı
Sızma Testlerinde Armitage KullanımıSızma Testlerinde Armitage Kullanımı
Sızma Testlerinde Armitage KullanımıBGA Cyber Security
 
Ossec - Host Based Saldırı Tespit Sistemi
Ossec - Host Based Saldırı Tespit SistemiOssec - Host Based Saldırı Tespit Sistemi
Ossec - Host Based Saldırı Tespit SistemiBilgiO A.S / Linux Akademi
 
Nessus Kullanım Kitapçığı
Nessus Kullanım KitapçığıNessus Kullanım Kitapçığı
Nessus Kullanım KitapçığıBGA Cyber Security
 

Recommended

Google Chrome on Android を自動実行
Google Chrome on Android を自動実行Google Chrome on Android を自動実行
Google Chrome on Android を自動実行洋史 東平
 
Web Uygulamalarında Kayank Kod Analizi – II
Web Uygulamalarında Kayank Kod Analizi – IIWeb Uygulamalarında Kayank Kod Analizi – II
Web Uygulamalarında Kayank Kod Analizi – IIMehmet Ince
 
Scada Sistemleri ve Güvenliği
Scada Sistemleri ve GüvenliğiScada Sistemleri ve Güvenliği
Scada Sistemleri ve GüvenliğiAhmet Gürel
 
Web Uygulamalarında Kaynak Kod Analizi - 1
Web Uygulamalarında Kaynak Kod Analizi - 1Web Uygulamalarında Kaynak Kod Analizi - 1
Web Uygulamalarında Kaynak Kod Analizi - 1Mehmet Ince
 
Raspberry pi led blink
Raspberry pi led blinkRaspberry pi led blink
Raspberry pi led blinkvishal choudhary
 
Sızma Testlerinde Armitage Kullanımı
Sızma Testlerinde Armitage KullanımıSızma Testlerinde Armitage Kullanımı
Sızma Testlerinde Armitage KullanımıBGA Cyber Security
 
Ossec - Host Based Saldırı Tespit Sistemi
Ossec - Host Based Saldırı Tespit SistemiOssec - Host Based Saldırı Tespit Sistemi
Ossec - Host Based Saldırı Tespit SistemiBilgiO A.S / Linux Akademi
 
Nessus Kullanım Kitapçığı
Nessus Kullanım KitapçığıNessus Kullanım Kitapçığı
Nessus Kullanım KitapçığıBGA Cyber Security
 
Malware classification and detection
Malware classification and detectionMalware classification and detection
Malware classification and detectionChong-Kuan Chen
 
Örnek Spam Çözümü: TTNET SMTP Portunu Engelleme
Örnek Spam Çözümü: TTNET SMTP Portunu EngellemeÖrnek Spam Çözümü: TTNET SMTP Portunu Engelleme
Örnek Spam Çözümü: TTNET SMTP Portunu EngellemeBGA Cyber Security
 
Picking apart the morris worm
Picking apart the morris wormPicking apart the morris worm
Picking apart the morris wormJayakrishna Menon
 
2 secure systems design
2 secure systems design2 secure systems design
2 secure systems designdrewz lin
 
BeRTOS: Free Embedded RTOS
BeRTOS: Free Embedded RTOSBeRTOS: Free Embedded RTOS
BeRTOS: Free Embedded RTOSDeveler S.r.l.
 
Kaynak Kod Analiz Süreci
Kaynak Kod Analiz SüreciKaynak Kod Analiz Süreci
Kaynak Kod Analiz SüreciPRISMA CSI
 
Predicting cyber bullying on t witter using machine learning
Predicting cyber bullying on t witter using machine learningPredicting cyber bullying on t witter using machine learning
Predicting cyber bullying on t witter using machine learningMirXahid1
 
Stuxnet - Case Study
Stuxnet - Case StudyStuxnet - Case Study
Stuxnet - Case StudyAmr Thabet
 
GÜVENLİ YAZILIM GELİŞTİRME EĞİTİMİ İÇERİĞİ
GÜVENLİ YAZILIM GELİŞTİRME EĞİTİMİ İÇERİĞİGÜVENLİ YAZILIM GELİŞTİRME EĞİTİMİ İÇERİĞİ
GÜVENLİ YAZILIM GELİŞTİRME EĞİTİMİ İÇERİĞİBGA Cyber Security
 
Bilgi Güvenliğinde Sızma Testleri
Bilgi Güvenliğinde Sızma TestleriBilgi Güvenliğinde Sızma Testleri
Bilgi Güvenliğinde Sızma TestleriBGA Cyber Security
 
Webinar: SOC Ekipleri için MITRE ATT&CK Kullanım Senaryoları
Webinar: SOC Ekipleri için MITRE ATT&CK Kullanım SenaryolarıWebinar: SOC Ekipleri için MITRE ATT&CK Kullanım Senaryoları
Webinar: SOC Ekipleri için MITRE ATT&CK Kullanım SenaryolarıBGA Cyber Security
 
Pentest Çalışmalarında Kablosuz Ağ Güvenlik Testleri
Pentest Çalışmalarında Kablosuz Ağ Güvenlik TestleriPentest Çalışmalarında Kablosuz Ağ Güvenlik Testleri
Pentest Çalışmalarında Kablosuz Ağ Güvenlik TestleriBGA Cyber Security
 
user centric machine learning framework for cyber security operations center
user centric machine learning framework for cyber security operations centeruser centric machine learning framework for cyber security operations center
user centric machine learning framework for cyber security operations centerVenkat Projects
 
Nmap101 Eğitim Sunumu - Nmap Kullanım Kılavuzu
Nmap101 Eğitim Sunumu - Nmap Kullanım KılavuzuNmap101 Eğitim Sunumu - Nmap Kullanım Kılavuzu
Nmap101 Eğitim Sunumu - Nmap Kullanım KılavuzuMehmet Caner Köroğlu
 
Bilgi Güvenliğinde Sızma Testleri
Bilgi Güvenliğinde Sızma TestleriBilgi Güvenliğinde Sızma Testleri
Bilgi Güvenliğinde Sızma TestleriBGA Cyber Security
 
Web For Pentester ile Web Uygulama Güvenliğine Giriş
Web For Pentester ile Web Uygulama Güvenliğine GirişWeb For Pentester ile Web Uygulama Güvenliğine Giriş
Web For Pentester ile Web Uygulama Güvenliğine GirişUmut Ergin
 
Windows 10 driver development (fixed, rev.2)
Windows 10 driver development (fixed, rev.2)Windows 10 driver development (fixed, rev.2)
Windows 10 driver development (fixed, rev.2)Atomu Hidaka
 
First Review(Ppt)
First Review(Ppt)First Review(Ppt)
First Review(Ppt)smjagadish
 
Siber Güvenlik Eğitimleri | SPARTA BİLİŞİM
Siber Güvenlik Eğitimleri | SPARTA BİLİŞİMSiber Güvenlik Eğitimleri | SPARTA BİLİŞİM
Siber Güvenlik Eğitimleri | SPARTA BİLİŞİMSparta Bilişim
 
Çalıştay | DDoS Saldırıları Nasıl Gerçekleştirilir?
Çalıştay | DDoS Saldırıları Nasıl Gerçekleştirilir?Çalıştay | DDoS Saldırıları Nasıl Gerçekleştirilir?
Çalıştay | DDoS Saldırıları Nasıl Gerçekleştirilir?BGA Cyber Security
 
Advanced System Security and Digital Forensics
Advanced System Security and Digital ForensicsAdvanced System Security and Digital Forensics
Advanced System Security and Digital ForensicsDr. Ramchandra Mangrulkar
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote ShellcodeAj MaChInE
 

More Related Content

What's hot

Malware classification and detection
Malware classification and detectionMalware classification and detection
Malware classification and detectionChong-Kuan Chen
 
Örnek Spam Çözümü: TTNET SMTP Portunu Engelleme
Örnek Spam Çözümü: TTNET SMTP Portunu EngellemeÖrnek Spam Çözümü: TTNET SMTP Portunu Engelleme
Örnek Spam Çözümü: TTNET SMTP Portunu EngellemeBGA Cyber Security
 
Picking apart the morris worm
Picking apart the morris wormPicking apart the morris worm
Picking apart the morris wormJayakrishna Menon
 
2 secure systems design
2 secure systems design2 secure systems design
2 secure systems designdrewz lin
 
BeRTOS: Free Embedded RTOS
BeRTOS: Free Embedded RTOSBeRTOS: Free Embedded RTOS
BeRTOS: Free Embedded RTOSDeveler S.r.l.
 
Kaynak Kod Analiz Süreci
Kaynak Kod Analiz SüreciKaynak Kod Analiz Süreci
Kaynak Kod Analiz SüreciPRISMA CSI
 
Predicting cyber bullying on t witter using machine learning
Predicting cyber bullying on t witter using machine learningPredicting cyber bullying on t witter using machine learning
Predicting cyber bullying on t witter using machine learningMirXahid1
 
Stuxnet - Case Study
Stuxnet - Case StudyStuxnet - Case Study
Stuxnet - Case StudyAmr Thabet
 
GÜVENLİ YAZILIM GELİŞTİRME EĞİTİMİ İÇERİĞİ
GÜVENLİ YAZILIM GELİŞTİRME EĞİTİMİ İÇERİĞİGÜVENLİ YAZILIM GELİŞTİRME EĞİTİMİ İÇERİĞİ
GÜVENLİ YAZILIM GELİŞTİRME EĞİTİMİ İÇERİĞİBGA Cyber Security
 
Bilgi Güvenliğinde Sızma Testleri
Bilgi Güvenliğinde Sızma TestleriBilgi Güvenliğinde Sızma Testleri
Bilgi Güvenliğinde Sızma TestleriBGA Cyber Security
 
Webinar: SOC Ekipleri için MITRE ATT&CK Kullanım Senaryoları
Webinar: SOC Ekipleri için MITRE ATT&CK Kullanım SenaryolarıWebinar: SOC Ekipleri için MITRE ATT&CK Kullanım Senaryoları
Webinar: SOC Ekipleri için MITRE ATT&CK Kullanım SenaryolarıBGA Cyber Security
 
Pentest Çalışmalarında Kablosuz Ağ Güvenlik Testleri
Pentest Çalışmalarında Kablosuz Ağ Güvenlik TestleriPentest Çalışmalarında Kablosuz Ağ Güvenlik Testleri
Pentest Çalışmalarında Kablosuz Ağ Güvenlik TestleriBGA Cyber Security
 
user centric machine learning framework for cyber security operations center
user centric machine learning framework for cyber security operations centeruser centric machine learning framework for cyber security operations center
user centric machine learning framework for cyber security operations centerVenkat Projects
 
Nmap101 Eğitim Sunumu - Nmap Kullanım Kılavuzu
Nmap101 Eğitim Sunumu - Nmap Kullanım KılavuzuNmap101 Eğitim Sunumu - Nmap Kullanım Kılavuzu
Nmap101 Eğitim Sunumu - Nmap Kullanım KılavuzuMehmet Caner Köroğlu
 
Bilgi Güvenliğinde Sızma Testleri
Bilgi Güvenliğinde Sızma TestleriBilgi Güvenliğinde Sızma Testleri
Bilgi Güvenliğinde Sızma TestleriBGA Cyber Security
 
Web For Pentester ile Web Uygulama Güvenliğine Giriş
Web For Pentester ile Web Uygulama Güvenliğine GirişWeb For Pentester ile Web Uygulama Güvenliğine Giriş
Web For Pentester ile Web Uygulama Güvenliğine GirişUmut Ergin
 
Windows 10 driver development (fixed, rev.2)
Windows 10 driver development (fixed, rev.2)Windows 10 driver development (fixed, rev.2)
Windows 10 driver development (fixed, rev.2)Atomu Hidaka
 
First Review(Ppt)
First Review(Ppt)First Review(Ppt)
First Review(Ppt)smjagadish
 
Siber Güvenlik Eğitimleri | SPARTA BİLİŞİM
Siber Güvenlik Eğitimleri | SPARTA BİLİŞİMSiber Güvenlik Eğitimleri | SPARTA BİLİŞİM
Siber Güvenlik Eğitimleri | SPARTA BİLİŞİMSparta Bilişim
 
Çalıştay | DDoS Saldırıları Nasıl Gerçekleştirilir?
Çalıştay | DDoS Saldırıları Nasıl Gerçekleştirilir?Çalıştay | DDoS Saldırıları Nasıl Gerçekleştirilir?
Çalıştay | DDoS Saldırıları Nasıl Gerçekleştirilir?BGA Cyber Security
 

What's hot (20)

Malware classification and detection
Malware classification and detectionMalware classification and detection
Malware classification and detection
 
Örnek Spam Çözümü: TTNET SMTP Portunu Engelleme
Örnek Spam Çözümü: TTNET SMTP Portunu EngellemeÖrnek Spam Çözümü: TTNET SMTP Portunu Engelleme
Örnek Spam Çözümü: TTNET SMTP Portunu Engelleme
 
Picking apart the morris worm
Picking apart the morris wormPicking apart the morris worm
Picking apart the morris worm
 
2 secure systems design
2 secure systems design2 secure systems design
2 secure systems design
 
BeRTOS: Free Embedded RTOS
BeRTOS: Free Embedded RTOSBeRTOS: Free Embedded RTOS
BeRTOS: Free Embedded RTOS
 
Kaynak Kod Analiz Süreci
Kaynak Kod Analiz SüreciKaynak Kod Analiz Süreci
Kaynak Kod Analiz Süreci
 
Predicting cyber bullying on t witter using machine learning
Predicting cyber bullying on t witter using machine learningPredicting cyber bullying on t witter using machine learning
Predicting cyber bullying on t witter using machine learning
 
Stuxnet - Case Study
Stuxnet - Case StudyStuxnet - Case Study
Stuxnet - Case Study
 
GÜVENLİ YAZILIM GELİŞTİRME EĞİTİMİ İÇERİĞİ
GÜVENLİ YAZILIM GELİŞTİRME EĞİTİMİ İÇERİĞİGÜVENLİ YAZILIM GELİŞTİRME EĞİTİMİ İÇERİĞİ
GÜVENLİ YAZILIM GELİŞTİRME EĞİTİMİ İÇERİĞİ
 
Bilgi Güvenliğinde Sızma Testleri
Bilgi Güvenliğinde Sızma TestleriBilgi Güvenliğinde Sızma Testleri
Bilgi Güvenliğinde Sızma Testleri
 
Webinar: SOC Ekipleri için MITRE ATT&CK Kullanım Senaryoları
Webinar: SOC Ekipleri için MITRE ATT&CK Kullanım SenaryolarıWebinar: SOC Ekipleri için MITRE ATT&CK Kullanım Senaryoları
Webinar: SOC Ekipleri için MITRE ATT&CK Kullanım Senaryoları
 
Pentest Çalışmalarında Kablosuz Ağ Güvenlik Testleri
Pentest Çalışmalarında Kablosuz Ağ Güvenlik TestleriPentest Çalışmalarında Kablosuz Ağ Güvenlik Testleri
Pentest Çalışmalarında Kablosuz Ağ Güvenlik Testleri
 
user centric machine learning framework for cyber security operations center
user centric machine learning framework for cyber security operations centeruser centric machine learning framework for cyber security operations center
user centric machine learning framework for cyber security operations center
 
Nmap101 Eğitim Sunumu - Nmap Kullanım Kılavuzu
Nmap101 Eğitim Sunumu - Nmap Kullanım KılavuzuNmap101 Eğitim Sunumu - Nmap Kullanım Kılavuzu
Nmap101 Eğitim Sunumu - Nmap Kullanım Kılavuzu
 
Bilgi Güvenliğinde Sızma Testleri
Bilgi Güvenliğinde Sızma TestleriBilgi Güvenliğinde Sızma Testleri
Bilgi Güvenliğinde Sızma Testleri
 
Web For Pentester ile Web Uygulama Güvenliğine Giriş
Web For Pentester ile Web Uygulama Güvenliğine GirişWeb For Pentester ile Web Uygulama Güvenliğine Giriş
Web For Pentester ile Web Uygulama Güvenliğine Giriş
 
Windows 10 driver development (fixed, rev.2)
Windows 10 driver development (fixed, rev.2)Windows 10 driver development (fixed, rev.2)
Windows 10 driver development (fixed, rev.2)
 
First Review(Ppt)
First Review(Ppt)First Review(Ppt)
First Review(Ppt)
 
Siber Güvenlik Eğitimleri | SPARTA BİLİŞİM
Siber Güvenlik Eğitimleri | SPARTA BİLİŞİMSiber Güvenlik Eğitimleri | SPARTA BİLİŞİM
Siber Güvenlik Eğitimleri | SPARTA BİLİŞİM
 
Çalıştay | DDoS Saldırıları Nasıl Gerçekleştirilir?
Çalıştay | DDoS Saldırıları Nasıl Gerçekleştirilir?Çalıştay | DDoS Saldırıları Nasıl Gerçekleştirilir?
Çalıştay | DDoS Saldırıları Nasıl Gerçekleştirilir?
 

Similar to Formbook - In-depth malware analysis (Botconf 2018)

Advanced System Security and Digital Forensics
Advanced System Security and Digital ForensicsAdvanced System Security and Digital Forensics
Advanced System Security and Digital ForensicsDr. Ramchandra Mangrulkar
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote ShellcodeAj MaChInE
 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Maksim Shudrak
 
DotNet Introduction
DotNet IntroductionDotNet Introduction
DotNet IntroductionWei Sun
 
Finfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn ViệtFinfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn ViệtSecurity Bootcamp
 
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법GangSeok Lee
 
Reconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemReconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemAlex Matrosov
 
Fighting Malware Without Antivirus
Fighting Malware Without AntivirusFighting Malware Without Antivirus
Fighting Malware Without AntivirusEnergySec
 
.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques.NET Debugging Tips and Techniques
.NET Debugging Tips and TechniquesBala Subra
 
.Net Debugging Techniques
.Net Debugging Techniques.Net Debugging Techniques
.Net Debugging TechniquesBala Subra
 
Volatile IOCs for Fast Incident Response
Volatile IOCs for Fast Incident ResponseVolatile IOCs for Fast Incident Response
Volatile IOCs for Fast Incident ResponseTakahiro Haruyama
 
Security Challenges of Antivirus Engines, Products and Systems
Security Challenges of Antivirus Engines, Products and SystemsSecurity Challenges of Antivirus Engines, Products and Systems
Security Challenges of Antivirus Engines, Products and SystemsAntiy Labs
 
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019Alexandre Borges
 
DEFCON 27 - ALEXANDRE BORGES - dot net malware threats
DEFCON 27 - ALEXANDRE BORGES - dot net malware threatsDEFCON 27 - ALEXANDRE BORGES - dot net malware threats
DEFCON 27 - ALEXANDRE BORGES - dot net malware threatsFelipe Prado
 
Dotnetintroduce 100324201546-phpapp02
Dotnetintroduce 100324201546-phpapp02Dotnetintroduce 100324201546-phpapp02
Dotnetintroduce 100324201546-phpapp02Wei Sun
 
Technical Report Vawtrak v2
Technical Report Vawtrak v2Technical Report Vawtrak v2
Technical Report Vawtrak v2Blueliv
 
Linux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - WonokaerunLinux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - Wonokaerunidsecconf
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisChong-Kuan Chen
 
VB2013 - Security Research and Development Framework
VB2013 - Security Research and Development FrameworkVB2013 - Security Research and Development Framework
VB2013 - Security Research and Development FrameworkAmr Thabet
 

Similar to Formbook - In-depth malware analysis (Botconf 2018) (20)

Advanced System Security and Digital Forensics
Advanced System Security and Digital ForensicsAdvanced System Security and Digital Forensics
Advanced System Security and Digital Forensics
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
 
DotNet Introduction
DotNet IntroductionDotNet Introduction
DotNet Introduction
 
Finfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn ViệtFinfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn Việt
 
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법
 
Reconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemReconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis Problem
 
Fighting Malware Without Antivirus
Fighting Malware Without AntivirusFighting Malware Without Antivirus
Fighting Malware Without Antivirus
 
.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques
 
.Net Debugging Techniques
.Net Debugging Techniques.Net Debugging Techniques
.Net Debugging Techniques
 
Volatile IOCs for Fast Incident Response
Volatile IOCs for Fast Incident ResponseVolatile IOCs for Fast Incident Response
Volatile IOCs for Fast Incident Response
 
Security Challenges of Antivirus Engines, Products and Systems
Security Challenges of Antivirus Engines, Products and SystemsSecurity Challenges of Antivirus Engines, Products and Systems
Security Challenges of Antivirus Engines, Products and Systems
 
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019
 
DEFCON 27 - ALEXANDRE BORGES - dot net malware threats
DEFCON 27 - ALEXANDRE BORGES - dot net malware threatsDEFCON 27 - ALEXANDRE BORGES - dot net malware threats
DEFCON 27 - ALEXANDRE BORGES - dot net malware threats
 
Dotnetintroduce 100324201546-phpapp02
Dotnetintroduce 100324201546-phpapp02Dotnetintroduce 100324201546-phpapp02
Dotnetintroduce 100324201546-phpapp02
 
Technical Report Vawtrak v2
Technical Report Vawtrak v2Technical Report Vawtrak v2
Technical Report Vawtrak v2
 
Linux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - WonokaerunLinux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - Wonokaerun
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
 
VB2013 - Security Research and Development Framework
VB2013 - Security Research and Development FrameworkVB2013 - Security Research and Development Framework
VB2013 - Security Research and Development Framework
 
Malware Detection With Multiple Features
Malware Detection With Multiple FeaturesMalware Detection With Multiple Features
Malware Detection With Multiple Features
 

Recently uploaded

DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 

Recently uploaded (20)

DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 

Formbook - In-depth malware analysis (Botconf 2018)

  • 2. Malware Analyst at Stormshield (1+ year) Previously Intrusion Detection Engineer at ANSSI (4 years)   ~/$ whoami~/$ whoami Rémi JullianRémi Jullian Interested in reverse-engineering, vulnerability exploitation, threat- intelligence, software developement, ... @netsecurity1 https://blog.remijullian.fr 2
  • 3. AgendaAgenda Formbook overview Anti-analysis tricks Code injection and process hollowing Userland hooks Keylogger Password harvesting C&C Network protocol 3
  • 5. Form-grabber / password-stealerForm-grabber / password-stealer Target 92 different applications Inject code in targeted applications in order to: Intercept network requests Implement a key-logger Harvest users' application passwords Take screenshots Execute C&C commands 4 . 2
  • 6. Web-BrowsersWeb-Browsers Mail clients, FTP clients, IM appsMail clients, FTP clients, IM apps Formbook targeted applicationsFormbook targeted applications 4 . 3
  • 7. Malware As A ServiceMalware As A Service Ready-to-use malware sold/rent directly by the developerReady-to-use malware sold/rent directly by the developer Used to be sold on hackforums[.]net by 'ng-Coder' There is no builder available Customers get their own .exe and web-based panel access 4 . 4
  • 11. Stack-strings obfuscation Strings encryption schema Strings obfuscation and encryptionStrings obfuscation and encryption 5 . 2
  • 12. Hashes are used to: Perform dynamic import function by hash Check for blacklisted running processes Check for blacklisted loaded modules by module path by module name Check for blacklisted usernames Check for targeted applications Strings hashingStrings hashing Formbook uses the BZip2 CRC32 hash function  10 0xbf0a5e41 LdrLoadDll 11 0x2902d074 KiFastSystemCal 12 0xf653b199 NtCreateProcess .. 79 0x3ebe9086 vmwareuser.exe 80 0x4c6fddb5 vmwareservice.ex .. 99 0x6484bcb5 cuckoo 100 0x11fc2f72 sandcastle .. 106 0xed297eae cuckoo 107 0xa88492a6 sandbox- .. 113 0xb4e1ae2 ntdll.dll 114 0x24a48dcf guard32.dll 115 0xe11da208 SbieDll.dll .. .. 120 0x9e01fc32 iexplore.exe 121 0x216500c2 firefox.exe List of hashes and related strings 5 . 3
  • 13. Strings hashes recoveringStrings hashes recovering We wrote a python module named  We also used FireEye's plugin MalwareHash from malware_hash import MalwareHash import binascii mh = MalwareHash(binascii.crc32) # user-defined hash func string_list = mh.get_strings_by_hash(0x77ae10f7) print(string_list) # ['u'wireshark.exe] .. "sandbox_tools":[ "python.exe", "py.exe", "perl.exe", "ruby.exe", "joeboxserver.exe", "joeboxcontrol.exe" ], .. hash_sources.json .. "dump_files.net":[ "a.exe", "a0380mon.exe", "a1dashboard_launcher.exe", "a1dashboard_service.exe", "a1diagnose.exe", "a2adguard.exe", .. ], files_net.json shellcode_hashes 5 . 4
  • 14. Data encryptionData encryption Formbook uses 'encrypted buffers' stored in the .text sectionFormbook uses 'encrypted buffers' stored in the .text section Schema from Arbor Network analysis 5 . 5
  • 15. 2 decryption functions Example of encrypted buffersExample of encrypted buffers BZip2 CRC32 hashes' array Array of various strings Array of PE images file name The C&C server's URI x86 and x64 instructions Data encryptionData encryption 5 . 6
  • 16. Manually mapping of NTDLLManually mapping of NTDLL Ntdll exposes the native API used to call system services It is frequently monitored by security solutions Cuckoo sandbox monitors function calls with inline hooks Malware analysts set breakpoints on ntdll.dll related functions Formbook manually maps its own copy of ntdll.dll 5 . 7
  • 17. ntdll.dll loaded by the Windows loader ntdll.dll manually loaded by Formbook Manually mapping of NTDLLManually mapping of NTDLL Disassembly of NtAdjustPrivilegesToken (WOW64) 5 . 8
  • 18. Manually mapping of NTDLLManually mapping of NTDLL ntdll.dll loaded by the Windows loaderntdll.dll loaded by the Windows loader ntdll.dll manually loaded by formbookntdll.dll manually loaded by formbook BaseAddr EndAddr+1 RgnSize Type State Protect ------------------------------------------------------------------------ 77c30000 77c31000 1000 MEM_IMAGE MEM_COMMIT PAGE_READONLY 77c31000 77c40000 f000 MEM_IMAGE MEM_RESERVE 77c40000 77d16000 d6000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ 77d16000 77d20000 a000 MEM_IMAGE MEM_RESERVE 77d20000 77d21000 1000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ 77d21000 77d30000 f000 MEM_IMAGE MEM_RESERVE 77d30000 77d31000 1000 MEM_IMAGE MEM_COMMIT PAGE_READWRITE 77d31000 77d32000 1000 MEM_IMAGE MEM_COMMIT PAGE_READONLY 77d32000 77d33000 1000 MEM_IMAGE MEM_COMMIT PAGE_READWRITE 77d33000 77d34000 1000 MEM_IMAGE MEM_COMMIT PAGE_WRITECOPY 77d34000 77d39000 5000 MEM_IMAGE MEM_COMMIT PAGE_READWRITE 77d39000 77d40000 7000 MEM_IMAGE MEM_RESERVE 77d40000 77d97000 57000 MEM_IMAGE MEM_COMMIT PAGE_READONLY 77d97000 77da0000 9000 MEM_IMAGE MEM_RESERVE 77da0000 77da5000 5000 MEM_IMAGE MEM_COMMIT PAGE_READONLY 77da5000 77db0000 b000 MEM_IMAGE MEM_RESERVE BaseAddr EndAddr+1 RgnSize Type State Protect ------------------------------------------------------------------------ 00800000 00b03000 303000 MEM_PRIVATE MEM_COMMIT PAGE_EXECUTE_READWRITE 5 . 9
  • 19. Loading additional DLLsLoading additional DLLs Empty Import Directory TableEmpty Import Directory Table Likely suggest dynamic function importing Additional DLLs are loaded using ntdll!LdrLoadDll5 . 10
  • 20. Dynamic function importingDynamic function importing Formbook can import functions byFormbook can import functions by Name Function ordinal Function name's hash (BZip2 CRC32) 5 . 11
  • 21. ntdll.dll - 32 bits (in WOW64)ntdll.dll - 32 bits (in WOW64) ntdll.dll - 64 bitsntdll.dll - 64 bits WOW64 (Windows 32 bit On Windows 64 bit)WOW64 (Windows 32 bit On Windows 64 bit) In WOW64 mode, Windows loads 2 versions of ntdll.dll 32-bits from %windir%SysWOW64 64-bits from %windir%System32 0:002> u ntdll!NtCreateFile ntdll!ZwCreateFile: 77c500a4 mov eax,52h 77c500a9 xor ecx,ecx 77c500ab lea edx,[esp+4] ; fs:[0xc0] points to TEB.WOW32Reserved 77c500af call dword ptr fs:[0C0h] 77c500b6 add esp,4 77c500b9 ret 2Ch 0:002> u ntdll!NtCreateFile ntdll!ZwCreateFile: 00000000773b1860 mov r10,rcx 00000000773b1863 mov eax,52h ; Invokes an OS system-call handler 00000000773b1868 syscall 00000000773b186a ret 5 . 12
  • 22. Without Wow32Reserved hookWithout Wow32Reserved hook With Wow32Reserved hookWith Wow32Reserved hook Check for WOW32Reserved hookCheck for WOW32Reserved hook Formbook checks if WOW32Reserved points to a 64-bit DLLFormbook checks if WOW32Reserved points to a 64-bit DLL OllyDbg Stealth64 plugin uses Wow32Reserved hooks Use ntdll!NtQueryVirtualMemory to get the base address Check if a 64-bit DLL is mapped at the base address 0:000> dt ntdll!_TEB WOW32Reserved @$teb ; Points to wow64cpu.dll (64-bit DLL) +0x0c0 WOW32Reserved : 0x74362320 Void 0:000> u 0x74362320 L1 ; Switch from x86 to x64 mode (Heaven Gate) 74362320 ea1e2736743300 jmp 0033:7436271E 0:000> dt ntdll!_TEB WOW32Reserved @$teb ; Points on a dynamically allocated block +0x0c0 WOW32Reserved : 0x73c72320 Void 0:000> u 0x73c72320 L1 ; Jmp on a dynamically allocated block of me 73c72320 e9ebdc320b jmp 7efa0010 [VB-2009-05] 5 . 13
  • 23. ntdll!NtQuerySystemInformationntdll!NtQuerySystemInformation SystemKernelDebuggerInformation Ring-0 debugger ProcessDebugPort Ring-3 debugger Check for a debuggerCheck for a debugger Reading the PEBReading the PEB typedef struct _PEB { BYTE Reserved1[2]; BYTE BeingDebugged; BYTE Reserved2[1]; PVOID Reserved3[2]; PPEB_LDR_DATA Ldr; .. .. } PEB, *PPEB; 5 . 14
  • 24. Check for inline hooksCheck for inline hooks 5 . 15
  • 25. 1. WOW32 Reserved hook 2. Software debugger 3. Kernel debugger 4. Blacklisted base file name 5. Blacklisted username 6. Blacklisted username 7. Blacklisted loaded module path 8. Blacklisted loaded module path 9. Blacklisted running process 10. Blacklisted running process 11. Blacklisted loaded DLL Checking anti-analysis tests resultsChecking anti-analysis tests results 5 . 16
  • 26. Code injection and processCode injection and process hollowinghollowing 6 . 1
  • 27. Process hollowing overviewProcess hollowing overview Used to migrate to a Windows like process Formbook code is mapped in explorer.exe APC injection or thread hijacking targets explorer.exe explorer.exe creates a new (suspended) process Formbook migrates to this process 6 . 2
  • 28. Process hollowing schema 1. Map a copy of itself within explorer' address space formbook.exe explorer.exe formbook.exe 2. Hijack explorer's main thread svchost.exe 3. Create a geniune microsoft suspended process formbook.exe6. Map of copy of itself within newly created process 7. Patch process entry point instructions and resume process 5. Retreive newly created process information 4. Restore explorer's saved instruction pointer 1. NtOpenProcess(), NtCreateSection(), NtMapViewOfSection() 2. NtOpenThread(), NtSuspendThread(), NtGetThreadContext(), NtSetThreadContext(), NtResumeThread() 3. CreateProcessInternalW() 4. ret instruction to saved CONTEXT.Eip 5. NtReadVirtualMemory() 6. NtOpenProcess(), NtMapViewOfSection() 7. NtOpenThread(), NtResumeThread() Stage 1 Stage 3 Stage 2 6 . 3
  • 29. Process hollowing summaryProcess hollowing summary Formbook is now looking like a geniune Microsoft process It's original process has exited explorer.exe now contains formbook's code (dead code) New formbook process can now inject targeted applications 6 . 4
  • 30. Targeted processes injection overviewTargeted processes injection overview Formbook code is mapped in targeted processes Targeted processes main thread is hijacked Inline userland hooks are setup during hijacked thread execution No new thread created ! 6 . 5
  • 31. Targeted process injection schema firefox.exe formbook.exe svchost.exe formbook.exe 1. NtOpenProcess(), NtCreateSection(), NtMapViewOfSection() 2. NtOpenThread(), NtSuspendThread(), NtGetThreadContext(), NtSetThreadContext(), NtResumeThread() 3. NtProtectVirtualMemory() 4. ret instruction to saved CONTEXT.Eip Stage 3 Targeted process 1. Map a copy of itself within firefox process' address space 2. Hijack firefox's main thread nss3.dll 3. Setup userland inline hooks 4. Restore firefox's saved instruction pointer 6 . 6
  • 33. What's a userland hook ?What's a userland hook ? Mechanism used to hijack the control flow of targeted functions Each targeted function has its own detour function Targeted functions parameters can be read (and modified) Interesting targets for formbook: Encryption functions Networking functions Keyboard input related functions Formbook uses inline userland hooks 7 . 2
  • 34. WSASend - x86WSASend - x86 PR_Write - x86PR_Write - x86 WSASend - x64WSASend - x64 PR_Write - x64PR_Write - x64 Inline hooks characteristicsInline hooks characteristics Override the first bytes of targeted functions with a call 32-bits - call near 64-bits - mov rax, imm64; call rax Must handle targeted architecture specifications x86 and x64 instructions length are variable Calling convention changes between x86 and x64 Function's prologue may differ even on the same architecture WS2_32!WSASend: 8bff mov edi,edi 55 push ebp 8bec mov ebp,esp nss3!PR_Write: 55 push ebp 8bec mov ebp,esp 8b4508 mov eax,dword ptr [ebp+8] WS2_32!WSASend: 48895c2408 mov qword ptr [rsp+8],rbx 48896c2410 mov qword ptr [rsp+10h],rbp 4889742418 mov qword ptr [rsp+18h],rsi 48897c2420 mov qword ptr [rsp+20h],rdi nss3!PR_Write: 488b01 mov rax,qword ptr [rcx]; 48ff6018 jmp qword ptr [rax+18h] cc int 3 7 . 3
  • 35. How inline userland hooks are setup?How inline userland hooks are setup? 1. Retreive the virtual address of the targeted function 2. Disassemble the targeted function prologue 3. Save the instructions altered by the hook 4. Write the trampoline at the end of the detour function 5. Write the call to the detour function 7 . 4
  • 36. Inline hook targeting PR_Write (nss3.dll) 1 nss3.dll PR_Write: E8 F7 D2 E4 A5 | call formbook_detour_func 4E             | dec esi  FF 75 10       | push dword ptr ss:[ebp+10]   .. .. C3             | retn 3 Formbook section formbook_hook_PR_Write_2: 90 | nop 50 | push eax 8B C4 | mov eax, esp 60 | pusha ; save registers 50 | push eax E8 11 A1 FE FF | call formbook_hook_PR_Write_3 83 C4 04 | add esp, 4 61 | popa ; restore registers 58 | pop eax 83 C4 04 | add esp, 4 C3 | retn .. .. formbook_hook_PR_Write_1: 68 88 88 88 88 | push 0x88888888; patched value E9 4B E1 FF FF | jmp formbook_hook_PR_Write_2 C3             | retn .. .. formbook_detour_func: 83 C4 04       | add esp, 4  E8 7B 03 FF FF | call formbook_hook_PR_Write_1 55             | push ebp 8B EC          | mov ebp, esp 8B 45 08       | mov eax, dword ptr ss:[ebp+8] 46             | inc esi 68 25 E1 EE    | push nss.PR_Write+5 C3             | retn 4 2 saved instructions trampoline 7 . 5
  • 37. Web-browsers targeted functionsWeb-browsers targeted functions DLL Function Browser Pre-encryption secur32.dll EncryptMessage Yes wininet.dll HttpSendRequestA HttpSendRequestW InternetQueryOptionW Yes nspr4.dll PR_Write Yes nss3.dll PR_Write Yes ws2_32.dll WSASend No 7 . 6
  • 38. Web-browsers Mail clients, FTP clients, IM apps The entire buffer containing credentials is sent to the C&C server Extract web-browser's User-Agent value for furtive C&C requests Detour functions goalsDetour functions goals Extract credentials from intercepted network requestsExtract credentials from intercepted network requests Search authentication keywords within hooked functions' buffer ['pass', 'token', 'email', 'login', 'signin', 'account', 'persistent'] ['user', 'pass', 'auth', 'login'] 7 . 7
  • 40. Windows Messaging SystemWindows Messaging System Messages from the window can be retreived with: GetMessage (blocking) PeekMessage (non-blocking) 8 . 2
  • 41. Functions hookedFunctions hooked GetMessage PeekMessage SendMessage Key-Logger implementationKey-Logger implementation All targeted applications are beeing key-loggedAll targeted applications are beeing key-logged Messages filtered by detour functionMessages filtered by detour function WM_KEYDOWN WM_SYSKEYDOWN WM_LBUTTONDOWN WM_RBUTTONDOWN typedef struct tagMSG { HWND hwnd; UINT message; // The message identifier WPARAM wParam; // The virtual-key code LPARAM lParam; DWORD time; POINT pt; DWORD lPrivate; } MSG, *PMSG, *NPMSG, *LPMSG; 8 . 3
  • 42. Virtual-key to character translationVirtual-key to character translation Custom virtual-key translationCustom virtual-key translation Virtual-Key Character Printable string 0x1b Escape Key [Esc] 0x12 Alt key [Alt] 0x09 Tab Key [Tab] 0x0d Enter key [Enter] 0x08 Backspace key [<-Del] Non-special charactersNon-special characters ToUnicode() 8 . 4
  • 43. Key-logger's file writing svchost.exe formbook.exe Targeted process firefox.exe formbook.exe Stage 3 shared memory area Same section mapped in all targeted processes and explorer's process shared memory area Injects targeted processes Explorer process explorer.exe formbook.exe shared memory area Formbook's thread running in explorer's process Reads keystrokes from shared memory area Writes keystrokes to shared memory area Creates thread in explorer's process Keylogger's file Writes into keylogger file 8 . 5
  • 44. Grabbing clipboard dataGrabbing clipboard data A window uses the clipboard when cutting, copying, or pasting data Mouse clicks events are used to trigger clipboard data extraction WM_LBUTTONDOWN WM_RBUTTONDOWN 8 . 6
  • 45. Keylogger file Clipboard file Temporary stored in %APPDATA% PREFIX matches regexp [a-zA-Z0-9] Derived from the username and C&C server Key-logger and Clipboard data fileKey-logger and Clipboard data file %APPDATA%RoamingPREFIX{8}PREFIX{3}log.ini %APPDATA%RoamingPREFIX{8}PREFIX{3}logc.ini 8 . 7
  • 47. Firefox Internet Explorer Chrome Opera Thunderbird Outlook Windows Vault Sqlite query targeting Firefox Sqlite query targeting Chrome  Password harvestingPassword harvesting Extract password saved on the filesystemExtract password saved on the filesystem SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_login SELECT origin_url, username_value, password_value FROM logins Browser-dumpwd project 9 . 2
  • 48. C&C Network ProtocolC&C Network Protocol 10 . 1
  • 49. C&C network protocol overviewC&C network protocol overview Formbook communicates with its C&C using HTTP requests The C&C server is implemented as a PHP web-application HTTP requests are "hand made" using low-level socket API Beaconing requests (GET) are used to pull C&C commands Exfiltration requests (POST) are used to send stolen data Data is encrypted using RC-4 Key is SHA-1(http.host + http.base_uri) A formbook PCAP can be decrypted without sample o/ 10 . 2
  • 50. Beaconing requestsBeaconing requests Send by formbook's thread running within explorer's process GET parameter value after base 64 decode and decryption FBNG: 4-bytes magic header C1EACBB4: CRC32 checksum of the user’s SID 3.8: Formbook version Windows 7 Enterprise x64: Operating system YWRtaW4xMjM0: base64 encoded username FBNG:C1EACBB43.8:Windows 7 Enterprise x64:YWRtaW4xMjM0 10 . 3
  • 51. C&C command in HTTP reply C&C command menu C&C commandsC&C commands Specified within HTTP replies to beaconing requests Server replies 200 OK only if a task has been added with the panel 10 . 4
  • 52. Type of exfiltrated data Intercepted network requests Password recoveries Keylogged data Clipboard data Screenshots POST parameter value after base 64 decode and decryption dat: base 64 encoded and RC-4 encrypted payload un: base 64 encoded username br: Type of exfiltrated data / Browser id Data exfiltration requestsData exfiltration requests dat=[TRUNC]LNSqnAQI6omSmS~2P0[TRUNC]&un=Ym9tYmVybWFu&br=9 10 . 5
  • 53. Fake C&C serversFake C&C servers Used to hide the real C&C server during sandbox analysis Randomly selected from the list of encrypted strings Reached as much as the real C&C server 77 f-start 78 spaceship2mars.net 79 streamlinecoach.net .. 103 gbmode.com .. 110 licitatii.site .. 126 monastery-records.com .. 140 daviesadeloye.com 141 msmhhh0opk.com 142 f-end 10 . 6
  • 54. Formbook PCAP decodingFormbook PCAP decoding Rémi J. @netsecurity1 We released a small python script used to parse #formbook PCAPs containing HTTP requests to C&C. Currently extracting: * Beaconing requests * Intercepted HTML forms * Password Recoveries * Clipboard data * Screenshotgithub.com/ThisIsSecurity… 197 09:31 - 8 oct. 2018 112 personnes parlent à ce sujet 10 . 7
  • 55. ConclusionConclusion Formbook is widely spread Easily accessible by cyber-criminals Uses a lot of anti-analysis tricks Implements interesting code injection techniques Can steal users' data using various mechanisms 11
  • 56. ReferencesReferences Previous workPrevious work D. Schwarz, - 09/2017 N. Villeneuve, R. Eitzman, S. Nemes, and T. Dean, - 10/2017 IDA Python script / Formbook PCAP decoderIDA Python script / Formbook PCAP decoder  Formbook sample (3.8)Formbook sample (3.8) The formidable formbook formgrabber Significant formbook distribution campaigns impacting the u.s. and south korea https://github.com/ThisIsSecurity/malware/tree/master/formbook Original sample Unpacked version 12