Downloaded 22 times
Uploaded bySensePost
Rat a-tat-tat
The document discusses research on two remote access Trojans (RATs), Poison Ivy and DarkComet, detailing methods for analysis, sample collection, and vulnerabilities. It highlights the use of tools like Cuckoo Sandbox and VirusTotal for malware analysis and references specific campaigns targeting defense contractors. The author encourages defenders to leverage these findings to improve security and investigate attacks.
More Related Content
Rat a-tat-tat
- 1. RAT-a-tat-tat Taking the fightto the RAT controllers
- 2. Who Am I •Jeremy du Bruyn – twitter: @herebepanda, irc: panda • Pentester / Consultant at SensePost • Spoken at a previous ZaCon about password cracking • Currently doing MSc. At Rhodes
- 3. What's this about •I've done some research on two prolific RAT's that I'd like to share with y'all – I am not a malware researcher, I'm just a ex-networkpentester-consultant-infosec guy – Some dynamic analysis using cuckoo sandbox – Some static analysis using scripts to pick apart the server binaries • Ways to search for these RAT's on the greater internet – With an example
- 4. Background story • Malware.lureport on Mandiant APT1 – Python code for finding Poison Ivy C2's • Are there any Poison Ivy C2's in ZA? – Writing robust network code is hard – Rather leverage off of NMAP • I didn’t find any Poison Ivy C2's in ZA :) / :( • I really want to play with this, where can I get some samples? credit (http://www.malware.lu/Pro/RAP002_APT1_Technical_backstage.1.0.pdf)
- 5. My collection • VirusTotalprovide access to their Private API, which allows for searching and downloading of samples, to researchers • After speaking with some malware folks I got a list of the most popular rats being used in attacks – (@vlad_o, @undeadsecurity, @bobmcardle) • Started collecting in August 2013 • Samples downloaded – Searched for “Poison.* and “Fynloski.*” – Total 34 GB of samples • For sure a cheap VPS would hold the few 100 MB's of samples I'd download link (https://www.virustotal.com/en/documentation/private-api/)
- 6.
- 7. Poison Ivy • Beenaround for many years – Oldest version on the website is from 2006, first released in 2005 – Latest public version is 2.3.2 released in 2008 – Private versions still being released, including a Vista+ patch – Free to download off the authors website • Apparently very popular amongst Chinese attackers – Recently used by Mandiant APT1 groups – Used in RSA hack
- 8. Poison Ivy • Samples –12,133 downloaded – 5,004 analysed • Too much pondering/figuring in the beginning • 26 live • Not a lot I know, but they provide some interesting insights • Average PI C2 lifespan is 3 months • Analysis conducted using a mixture of the VirusTotal behavioural analysis results and local cuckoo sandbox instance
- 9. VT Behavioural Analysis •They use a “cluster” of cuckoo sandbox machines to perform the analysis and provide data via JSON • VirusTotal behavioural analysis not conducted on all samples – Like 1 in 10 – Not allowed to share samples with 3rd parties
- 10. Cuckoo sandbox • Cuckoosandbox used for the majority of the samples – 5 WinXP SP2 virtual machine guests – Timeout of 2 minutes • Only allowed DNS traffic to cuckoo host – Unbound DNS resolver • Tweaked to report all traffic, even SYN – modules/processing/network.py (host down, not reported) – Malwr.com has the same problem • api.py is super useful – Submit jobs, get analysis reports in JSON • At the end able to process a couple hundred samples a day
- 11. Analysis system • Systemis postgres driven • Extracted info from the samples put into DB: – C2 / proxy IP – Port • Scripts would pick up unprocessed samples and perform liveness testing of C2 and extract the Camellia key – Again writing to the DB
- 12. Poison Ivy • Camelliakey used to authenticate server and encrypt communication – Crypto hashing algorithm – Used for all servers – Can be extracted from server traffic :) link (https://en.wikipedia.org/wiki/Camellia_(cipher))
- 13. Poison Ivy • JtRmodule available for brute-forcing (malware.lu) – I've asked for its inclusion into hashcat – @atom, if you are reading this, *cough* oclhashcat
- 14. Vulnerabilities • Metasploit modulefor Buffer Overflow bug in Poison Ivy 2.3.2 – Think meterpreter – All you need is the C2 IP, port and clear-text Camellia password – Malware.lu guys used this to great effect • FireEye “PIVY memory-decoding tool” for Immunity debugger can also extract this info Link (http://www.rapid7.com/db/modules/exploit/windows/misc/poisonivy_bof) (http://www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf)
- 15. My contribution • NMAPservice probes to detect C2’s across the Internet and NSE script to extract Camellia key from server traffic
- 16. DarkComet • Very populararound the world • Development abandoned by the author after Syrian government use – Crippled version available on author website – Current public full version is 5.3.1 – Current public crippled version 5.4.1 “Legacy” • Fairly good collection available via .torrent Link (http://darkcomet-rat.com/) (https://thepiratebay.sx/torrent/7420705/DarkComet_RAT_Collection)
- 17. DarkComet • Samples – 33,592downloaded (32GB) – 12,133 analysed • 4408 successfully • 40 live • Analysis script inspired by AlienVault Labs – Only worked on V5, updated to work on V5.1+ credit (https://code.google.com/p/alienvault-labs-garage/downloads/list)
- 18. DarkComet • Encrypted serverconfiguration information contained within the binary – C2 IP, port, password – FTP host, port, username, password, path • Server configuration encrypted using static keys: – – – – – – V5.1+ V5.0 V4.2F V4.2 V4.1 V2.x + 3.x : #KCMDDC51#-890 : #KCMDDC5#-890 : #KCMDDC42F#-890 : #KCMDDC42#-890 : #KCMDDC4#-890 : #KCMDDC2#-890 • Static key and password (“PWD”) used to authenticate and encrypt communications credit (http://www.arbornetworks.com/asert/wp-content/uploads/2012/03/Crypto-DarkComet-Report1.pdf)
- 19.
- 20. DarkComet • All thisis encrypted using the static key + 'PWD‘ credit (http://www.contextis.com/research/blog/malware-analysis-dark-comet-rat/)
- 21. Vulnerabilties • Makes useof SQLite DB – SQLi • Arbitrary File Download vulnerability – RAT allows controller to overwrite files – Doesn't check that C2 initiated connection • (comet.db) • Contains information on all connected servers credit (http://www.matasano.com/research/PEST-CONTROL.pdf)
- 22. My contribution • NMAPservice probes to detect C2’s across the Internet – DarkComet • Receives “IDTYPE” encrypted with default (and most popular) password – Xtreme RAT • Sends “myversion|3.6 Publicrn” • Receives – Bytes 1-3 "x58x0dx0a – Bytes 4 – 12 "xd2x02x96x49x00x00x00x00"
- 23. My contribution • UpdatedDarkComet configuration extraction script, for v5.1+
- 24. menuPass Campaign • Oneof my samples had the filename “Strategy_Meeting.exe” and a Google gave me the FireEye report “Poison Ivy: Assessing Damage and Extracting Intelligence” – menuPass campaign launched in 2009 targeting defense contractors – Main industries targeted where • Defense, Consulting / Engineering, ISP, Aerospace, Heavy Industry, Government • Spear-phishing used as initial attack vector – Weaponised .doc and .zip • Using Pentest footprinting techniques I uncovered a bit about their infrastructure Link (http://www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf)
- 25.
- 26. menuPass Campaign • “TheIP 60.10.1.120 hosted the domain apple.cmdnetview.com” • This hostname appeared in my analysis but with an IP of 112.213.118.34 • One of my samples has hk.2012yearleft.com (112.213.118.33) and tw.2012yearleft.com (50.2.160.125) as C2’s – tw.2012yearleft.com was 60.10.1.114, 60.1.1.114 in FireEye report – 5 live samples using this C2 in my collection – All used Camellia key “ketcxsAWfeAxiQ64ndURvA==”
- 27. menuPass Campaign • Newhostnames found using “ketcxsAWfeAxiQ64ndURvA==” from my samples: – banana.cmdnetview.com – drives.methoder.com – muller.exprenum.com • New hostnames in 50.2.160.0/24 from samples: – – – – kmd.crabdance.com banana.cmdnetview.com drives.methoder.com muller.exprenum.com 50.2.160.104 50.2.160.146 50.2.160.125 50.2.160.125
- 28. menuPass Campaign • Usingmy NMAP poison-ivy.nse and nmap-service-probes.pi I found additional C2's in 50.2.160.0/24: – 50.2.160.42:80/443 3ntLjgUGgQUYeKl3ncWgeQ== – 50.2.160.84:80/443 (daddy.gostudyantivirus.com) (AoFSY4Fi5u8sX3Bo7To86w==) – 50.2.160.104:443 gdWSvDcDqmZFC5/qvQiwhQ== – 50.2.160.125:80/443 (document.methoder.com, drives.methoder.com, mocha.100fanwen.c om, scrlk.exprenum.com, zone.demoones.com) (ketcxsAWfeAxiQ64ndURvA==) – 50.2.160.146:443 ketcxsAWfeAxiQ64ndURvA== – 50.2.160.179:443 gdWSvDcDqmZFC5/qvQiwhQ== – 50.2.160.193:443 tG3Sl8fQtuyKj/jh97O67w== – 50.2.160.226:443 gdWSvDcDqmZFC5/qvQiwhQ== – 50.2.160.241:443 gdWSvDcDqmZFC5/qvQiwhQ==
- 29. menuPass Campaign • Samekey (gdWSvDcDqmZFC5/qvQiwhQ==) as kmd.crabdance.com (from 50.2.160.104): – ux.niushenghuo.info – for.ddns.mobi 142.4.121.144 142.4.121.144 • Hostnames from samples in 142.4.121.0/24: – gold.polopurple.com 142.4.121.138 • Additional PI C2 in 142.4.121.0/24 using NMAP: – – – – – – – – 142.4.121.137:80/443 142.4.121.139:80/443 142.4.121.140:443 142.4.121.141:80 142.4.121.142:443 142.4.121.144:443 142.4.121.181:443 142.4.121.203:443 3ntLjgUGgQUYeKl3ncWgeQ== AoFSY4Fi5u8sX3Bo7To86w== gdWSvDcDqmZFC5/qvQiwhQ== ketcxsAWfeAxiQ64ndURvA== ketcxsAWfeAxiQ64ndURvA== gdWSvDcDqmZFC5/qvQiwhQ== gdWSvDcDqmZFC5/qvQiwhQ== gdWSvDcDqmZFC5/qvQiwhQ==
- 30. menuPass Campaign • zhengyanbin8@gmail.comregistered: – 2012yearleft.com – cmdnetview.com – gostudyantivirus.com – 100fanwen.com • DomainTools reports that this email address has been used to register 157 domains – So still a lot of research to be done
- 31. Conclusion • Those withan interest in amateur malware analysis – I utilised my pentesting skillset to work on this stuff • Defenders looking for more ways to defend – Using these methods you can start investigating attacks on your organisation and start moving up the kill-chain • Greyhats wanting to increase the cost of attackers running these RAT's
- 32. Thank You • Ifthere’s time for questions, shoot. • Otherwise catch me at lunch