SlideShare a Scribd company logo

WARNING: Do Not Feed the Bears

Miroslav Stampar
Miroslav Stampar

These are the slides from a talk "WARNING: Do Not Feed the Bears" held at BSidesLjubljana 2017 (Ljubljana / Slovenia)

Internet
1 of 35
Download to read offline
WARNING:WARNING: Do Not Feed the BearsDo Not Feed the Bears Miroslav Štampar (mstampar@zsis.hr; miroslav@sqlmap.org) WARNING:WARNING: Do Not Feed the BearsDo Not Feed the Bears Miroslav Štampar (mstampar@zsis.hr; miroslav@sqlmap.org)
BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 2 ContextContext Croatian Government CERT Dealing with vast diversity of different incidents (e.g. ransomware, defacements, DoS attacks, etc.) Most interesting (by far) are APT attacks “Have you noticed anything strange with your computer lately? -Nope. Though, IE with Twitter is popping out here and there… and I don’t use Twitter” (recent APT incident) We are part of NATO and EU – hence, natural target of “advanced persistent threats”
BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 3 IntroductionIntroduction In January got two (forwarded) suspicious emails with question “was this an attack?” August (Bulletin.doc - bigger) and November (Operation_in_Mosul.doc - smaller) of 2016 Originally addressed to one “sensitive” government institution, hence, we expected the “unexpected” Attachments were Microsoft Office documents (.doc), regular attacking vector in this kind of (spear) phishing attacks In majority of cases, malicious Macros are used, while in this case, there were no Macros
BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 4 Emails (content)Emails (content)
BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 5 Emails (headers)Emails (headers)
BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 6 Emails (reverse DNS)Emails (reverse DNS)
BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 7 Attachments (.doc / RTF)Attachments (.doc / RTF)
BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 8 Initial findings (long hex strings)Initial findings (long hex strings)
BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 9 Initial findings (CLSID)Initial findings (CLSID)
BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 10 Initial findings (ShockwaveFlash)Initial findings (ShockwaveFlash)
BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 11 Initial findings (hash/VirusTotal)Initial findings (hash/VirusTotal)
BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 12 Dummy run (VM)Dummy run (VM)
BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 13 Extracting OLE objects (OfficeMalScanner)Extracting OLE objects (OfficeMalScanner)
BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 14 Decompiling SWF files (ffdec)Decompiling SWF files (ffdec)
BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 15 Encrypted payloads (exploit + dropper)Encrypted payloads (exploit + dropper)
BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 16 Decryption (LFSR) routine (Bulletin.doc)Decryption (LFSR) routine (Bulletin.doc)
BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 17 Decryption/Loader routine (Operation_in_Mosul.doc)Decryption/Loader routine (Operation_in_Mosul.doc)
BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 18 Payload “choice” (Bulletin.doc)Payload “choice” (Bulletin.doc) Flash Player Version Embedded Binary Vulnerability 20.0.0.306 - 21.0.0.242 (Ver_)ExtSwf2 CVE-2016-4117 20.0.0.228 - 20.0.0.306 (Ver_)ExtSwf CVE-2016-1019 11.5.502.146 - 19.0.0.207 (Ver_)ExtSwf1 CVE-2015-7645
BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 19 Vulnerabilities exploited (Bulletin.doc)Vulnerabilities exploited (Bulletin.doc)
BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 20 Payload decryptionPayload decryption
BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 21 Payload decompression (CWS/FWS)Payload decompression (CWS/FWS)
BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 22 Payload (dbg) strings (Bulletin.doc)Payload (dbg) strings (Bulletin.doc)
BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 23 CVE-2016-4117 (Bulletin.doc)CVE-2016-4117 (Bulletin.doc)
BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 24 CVE-2015-7645 (Bulletin.doc)CVE-2015-7645 (Bulletin.doc)
BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 25 CVE-2016-1019 (Bulletin.doc)CVE-2016-1019 (Bulletin.doc)
BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 26 Payload “fetch” (Operation_in_Mosul.doc)Payload “fetch” (Operation_in_Mosul.doc)
BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 27 Infection phase (Bulletin.doc)Infection phase (Bulletin.doc)
BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 28 nshwmpfs.dll (runtime check)nshwmpfs.dll (runtime check)
BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 29 nshwmpfs.dll (Carberp source)nshwmpfs.dll (Carberp source)
BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 30 nshwmpfs.dll (string (de)obfuscation)nshwmpfs.dll (string (de)obfuscation)
BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 31 nshwmpfs.dll (what it is all about?)nshwmpfs.dll (what it is all about?) Reconnaissance (first stage) malware (aka. JHUHUGIT) Downloading, execution and deletion of arbitrary files Collects basic data about the infected system and sends it (in encrypted form) to C&C In case that C&C server and/or operator finds the system “interesting” leaves command for downloading of second stage malware Second stage malware: SPLM (aka Xagent, aka CHOPSTICK) and AZZY (aka. ADVSTORESHELL, NETUI, EVILTOSS)
BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 32 Appendix A: Servers (C&C)Appendix A: Servers (C&C) accgmail.com (mail server) 213.202.214.148 servicecdp.com (C&C - Bulletin.doc) 87.236.211.182 uniquecorpind.com (C&C / exploits - Operation_in_Mosul.doc) 62.113.232.196
BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 33 Appendix B: Passive DNS / WHOISAppendix B: Passive DNS / WHOIS
BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 34 Related workRelated work Palo Alto Networks, “‘DealersChoice’ is Sofacy’s Flash Player Exploit Platform”, Oct. 2016. Palo Alto Networks, “Let It Ride: The Sofacy Group’s DealersChoice Attacks Continue”, Dec. 2016. FireEye, “CVE-2016-4117: Flash Zero-Day Exploited in the Wild”, May. 2016. SonicWall, “Adobe Type Confusion Vulnerability CVE-2015-7645 Exploits in the Wild”, 2016. Trend Micro, “A Look Into Adobe Flash Player CVE-2016-1019 Zero-Day Attack”, Apr. 2016.
BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 35 Questions?Questions?

Recommended

APT Attacks on Critical Infrastructure
APT Attacks on Critical InfrastructureAPT Attacks on Critical Infrastructure
APT Attacks on Critical Infrastructure
Miroslav Stampar
 
sqlmap - "One Tiny Step At a Time"
sqlmap - "One Tiny Step At a Time"sqlmap - "One Tiny Step At a Time"
sqlmap - "One Tiny Step At a Time"
Miroslav Stampar
 
Blind WAF identification
Blind WAF identificationBlind WAF identification
Blind WAF identification
Miroslav Stampar
 
sqlmap internals
sqlmap internalssqlmap internals
sqlmap internals
Miroslav Stampar
 
Why everybody should do CTF / Wargames?
Why everybody should do CTF / Wargames?Why everybody should do CTF / Wargames?
Why everybody should do CTF / Wargames?
Miroslav Stampar
 
sqlmap internals
sqlmap internalssqlmap internals
sqlmap internals
Miroslav Stampar
 
Improving Network Intrusion Detection with Traffic Denoise
Improving Network Intrusion Detection with Traffic DenoiseImproving Network Intrusion Detection with Traffic Denoise
Improving Network Intrusion Detection with Traffic Denoise
Miroslav Stampar
 
Non-Esoteric XSS Tips & Tricks
Non-Esoteric XSS Tips & TricksNon-Esoteric XSS Tips & Tricks
Non-Esoteric XSS Tips & Tricks
Miroslav Stampar
 

Recommended

APT Attacks on Critical Infrastructure
APT Attacks on Critical InfrastructureAPT Attacks on Critical Infrastructure
APT Attacks on Critical Infrastructure
Miroslav Stampar
 
sqlmap - "One Tiny Step At a Time"
sqlmap - "One Tiny Step At a Time"sqlmap - "One Tiny Step At a Time"
sqlmap - "One Tiny Step At a Time"
Miroslav Stampar
 
Blind WAF identification
Blind WAF identificationBlind WAF identification
Blind WAF identification
Miroslav Stampar
 
sqlmap internals
sqlmap internalssqlmap internals
sqlmap internals
Miroslav Stampar
 
Why everybody should do CTF / Wargames?
Why everybody should do CTF / Wargames?Why everybody should do CTF / Wargames?
Why everybody should do CTF / Wargames?
Miroslav Stampar
 
sqlmap internals
sqlmap internalssqlmap internals
sqlmap internals
Miroslav Stampar
 
Improving Network Intrusion Detection with Traffic Denoise
Improving Network Intrusion Detection with Traffic DenoiseImproving Network Intrusion Detection with Traffic Denoise
Improving Network Intrusion Detection with Traffic Denoise
Miroslav Stampar
 
Non-Esoteric XSS Tips & Tricks
Non-Esoteric XSS Tips & TricksNon-Esoteric XSS Tips & Tricks
Non-Esoteric XSS Tips & Tricks
Miroslav Stampar
 
sqlmap - why (not how) it works?
sqlmap - why (not how) it works?sqlmap - why (not how) it works?
sqlmap - why (not how) it works?
Miroslav Stampar
 
2014 – Year of Broken Name Generator(s)
2014 – Year of Broken Name Generator(s)2014 – Year of Broken Name Generator(s)
2014 – Year of Broken Name Generator(s)
Miroslav Stampar
 
Smashing the Buffer
Smashing the BufferSmashing the Buffer
Smashing the Buffer
Miroslav Stampar
 
Riding the Overflow - Then and Now
Riding the Overflow - Then and NowRiding the Overflow - Then and Now
Riding the Overflow - Then and Now
Miroslav Stampar
 
Riding the Overflow - Then and Now
Riding the Overflow - Then and NowRiding the Overflow - Then and Now
Riding the Overflow - Then and Now
Miroslav Stampar
 
Hash DoS Attack
Hash DoS AttackHash DoS Attack
Hash DoS Attack
Miroslav Stampar
 
Curious Case of SQLi
Curious Case of SQLiCurious Case of SQLi
Curious Case of SQLi
Miroslav Stampar
 
Heuristic methods used in sqlmap
Heuristic methods used in sqlmapHeuristic methods used in sqlmap
Heuristic methods used in sqlmap
Miroslav Stampar
 
sqlmap - Under the Hood
sqlmap - Under the Hoodsqlmap - Under the Hood
sqlmap - Under the Hood
Miroslav Stampar
 
Spot the Web Vulnerability
Spot the Web VulnerabilitySpot the Web Vulnerability
Spot the Web Vulnerability
Miroslav Stampar
 
Analysis of mass SQL injection attacks
Analysis of mass SQL injection attacksAnalysis of mass SQL injection attacks
Analysis of mass SQL injection attacks
Miroslav Stampar
 
Data Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection AttacksData Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection Attacks
Miroslav Stampar
 
DNS exfiltration using sqlmap
DNS exfiltration using sqlmapDNS exfiltration using sqlmap
DNS exfiltration using sqlmap
Miroslav Stampar
 
It all starts with the ' (SQL injection from attacker's point of view)
It all starts with the ' (SQL injection from attacker's point of view)It all starts with the ' (SQL injection from attacker's point of view)
It all starts with the ' (SQL injection from attacker's point of view)
Miroslav Stampar
 
sqlmap - security development in Python
sqlmap - security development in Pythonsqlmap - security development in Python
sqlmap - security development in Python
Miroslav Stampar
 
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
thezot
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
Tarandeep Singh
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
davidjhones387
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
3a0sd7z3
 
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
k4ncd0z
 
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
APNIC
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
rtunex8r
 

More Related Content

More from Miroslav Stampar

sqlmap - why (not how) it works?
sqlmap - why (not how) it works?sqlmap - why (not how) it works?
sqlmap - why (not how) it works?
Miroslav Stampar
 
2014 – Year of Broken Name Generator(s)
2014 – Year of Broken Name Generator(s)2014 – Year of Broken Name Generator(s)
2014 – Year of Broken Name Generator(s)
Miroslav Stampar
 
Smashing the Buffer
Smashing the BufferSmashing the Buffer
Smashing the Buffer
Miroslav Stampar
 
Riding the Overflow - Then and Now
Riding the Overflow - Then and NowRiding the Overflow - Then and Now
Riding the Overflow - Then and Now
Miroslav Stampar
 
Riding the Overflow - Then and Now
Riding the Overflow - Then and NowRiding the Overflow - Then and Now
Riding the Overflow - Then and Now
Miroslav Stampar
 
Hash DoS Attack
Hash DoS AttackHash DoS Attack
Hash DoS Attack
Miroslav Stampar
 
Curious Case of SQLi
Curious Case of SQLiCurious Case of SQLi
Curious Case of SQLi
Miroslav Stampar
 
Heuristic methods used in sqlmap
Heuristic methods used in sqlmapHeuristic methods used in sqlmap
Heuristic methods used in sqlmap
Miroslav Stampar
 
sqlmap - Under the Hood
sqlmap - Under the Hoodsqlmap - Under the Hood
sqlmap - Under the Hood
Miroslav Stampar
 
Spot the Web Vulnerability
Spot the Web VulnerabilitySpot the Web Vulnerability
Spot the Web Vulnerability
Miroslav Stampar
 
Analysis of mass SQL injection attacks
Analysis of mass SQL injection attacksAnalysis of mass SQL injection attacks
Analysis of mass SQL injection attacks
Miroslav Stampar
 
Data Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection AttacksData Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection Attacks
Miroslav Stampar
 
DNS exfiltration using sqlmap
DNS exfiltration using sqlmapDNS exfiltration using sqlmap
DNS exfiltration using sqlmap
Miroslav Stampar
 
It all starts with the ' (SQL injection from attacker's point of view)
It all starts with the ' (SQL injection from attacker's point of view)It all starts with the ' (SQL injection from attacker's point of view)
It all starts with the ' (SQL injection from attacker's point of view)
Miroslav Stampar
 
sqlmap - security development in Python
sqlmap - security development in Pythonsqlmap - security development in Python
sqlmap - security development in Python
Miroslav Stampar
 

More from Miroslav Stampar (15)

sqlmap - why (not how) it works?
sqlmap - why (not how) it works?sqlmap - why (not how) it works?
sqlmap - why (not how) it works?
 
2014 – Year of Broken Name Generator(s)
2014 – Year of Broken Name Generator(s)2014 – Year of Broken Name Generator(s)
2014 – Year of Broken Name Generator(s)
 
Smashing the Buffer
Smashing the BufferSmashing the Buffer
Smashing the Buffer
 
Riding the Overflow - Then and Now
Riding the Overflow - Then and NowRiding the Overflow - Then and Now
Riding the Overflow - Then and Now
 
Riding the Overflow - Then and Now
Riding the Overflow - Then and NowRiding the Overflow - Then and Now
Riding the Overflow - Then and Now
 
Hash DoS Attack
Hash DoS AttackHash DoS Attack
Hash DoS Attack
 
Curious Case of SQLi
Curious Case of SQLiCurious Case of SQLi
Curious Case of SQLi
 
Heuristic methods used in sqlmap
Heuristic methods used in sqlmapHeuristic methods used in sqlmap
Heuristic methods used in sqlmap
 
sqlmap - Under the Hood
sqlmap - Under the Hoodsqlmap - Under the Hood
sqlmap - Under the Hood
 
Spot the Web Vulnerability
Spot the Web VulnerabilitySpot the Web Vulnerability
Spot the Web Vulnerability
 
Analysis of mass SQL injection attacks
Analysis of mass SQL injection attacksAnalysis of mass SQL injection attacks
Analysis of mass SQL injection attacks
 
Data Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection AttacksData Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection Attacks
 
DNS exfiltration using sqlmap
DNS exfiltration using sqlmapDNS exfiltration using sqlmap
DNS exfiltration using sqlmap
 
It all starts with the ' (SQL injection from attacker's point of view)
It all starts with the ' (SQL injection from attacker's point of view)It all starts with the ' (SQL injection from attacker's point of view)
It all starts with the ' (SQL injection from attacker's point of view)
 
sqlmap - security development in Python
sqlmap - security development in Pythonsqlmap - security development in Python
sqlmap - security development in Python
 

Recently uploaded

一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
thezot
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
Tarandeep Singh
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
davidjhones387
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
3a0sd7z3
 
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
k4ncd0z
 
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
APNIC
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
rtunex8r
 
Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
Paul Walk
 
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
APNIC
 
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
xjq03c34
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
Donato Onofri
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
3a0sd7z3
 

Recently uploaded (12)

一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
 
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
 
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
 
Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
 
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
 
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
 

WARNING: Do Not Feed the Bears

  • 1. WARNING:WARNING: Do Not Feed the BearsDo Not Feed the Bears Miroslav Štampar (mstampar@zsis.hr; miroslav@sqlmap.org) WARNING:WARNING: Do Not Feed the BearsDo Not Feed the Bears Miroslav Štampar (mstampar@zsis.hr; miroslav@sqlmap.org)
  • 2. BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 2 ContextContext Croatian Government CERT Dealing with vast diversity of different incidents (e.g. ransomware, defacements, DoS attacks, etc.) Most interesting (by far) are APT attacks “Have you noticed anything strange with your computer lately? -Nope. Though, IE with Twitter is popping out here and there… and I don’t use Twitter” (recent APT incident) We are part of NATO and EU – hence, natural target of “advanced persistent threats”
  • 3. BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 3 IntroductionIntroduction In January got two (forwarded) suspicious emails with question “was this an attack?” August (Bulletin.doc - bigger) and November (Operation_in_Mosul.doc - smaller) of 2016 Originally addressed to one “sensitive” government institution, hence, we expected the “unexpected” Attachments were Microsoft Office documents (.doc), regular attacking vector in this kind of (spear) phishing attacks In majority of cases, malicious Macros are used, while in this case, there were no Macros
  • 4. BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 4 Emails (content)Emails (content)
  • 5. BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 5 Emails (headers)Emails (headers)
  • 6. BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 6 Emails (reverse DNS)Emails (reverse DNS)
  • 7. BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 7 Attachments (.doc / RTF)Attachments (.doc / RTF)
  • 8. BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 8 Initial findings (long hex strings)Initial findings (long hex strings)
  • 9. BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 9 Initial findings (CLSID)Initial findings (CLSID)
  • 10. BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 10 Initial findings (ShockwaveFlash)Initial findings (ShockwaveFlash)
  • 11. BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 11 Initial findings (hash/VirusTotal)Initial findings (hash/VirusTotal)
  • 12. BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 12 Dummy run (VM)Dummy run (VM)
  • 13. BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 13 Extracting OLE objects (OfficeMalScanner)Extracting OLE objects (OfficeMalScanner)
  • 14. BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 14 Decompiling SWF files (ffdec)Decompiling SWF files (ffdec)
  • 15. BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 15 Encrypted payloads (exploit + dropper)Encrypted payloads (exploit + dropper)
  • 16. BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 16 Decryption (LFSR) routine (Bulletin.doc)Decryption (LFSR) routine (Bulletin.doc)
  • 17. BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 17 Decryption/Loader routine (Operation_in_Mosul.doc)Decryption/Loader routine (Operation_in_Mosul.doc)
  • 18. BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 18 Payload “choice” (Bulletin.doc)Payload “choice” (Bulletin.doc) Flash Player Version Embedded Binary Vulnerability 20.0.0.306 - 21.0.0.242 (Ver_)ExtSwf2 CVE-2016-4117 20.0.0.228 - 20.0.0.306 (Ver_)ExtSwf CVE-2016-1019 11.5.502.146 - 19.0.0.207 (Ver_)ExtSwf1 CVE-2015-7645
  • 19. BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 19 Vulnerabilities exploited (Bulletin.doc)Vulnerabilities exploited (Bulletin.doc)
  • 20. BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 20 Payload decryptionPayload decryption
  • 21. BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 21 Payload decompression (CWS/FWS)Payload decompression (CWS/FWS)
  • 22. BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 22 Payload (dbg) strings (Bulletin.doc)Payload (dbg) strings (Bulletin.doc)
  • 23. BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 23 CVE-2016-4117 (Bulletin.doc)CVE-2016-4117 (Bulletin.doc)
  • 24. BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 24 CVE-2015-7645 (Bulletin.doc)CVE-2015-7645 (Bulletin.doc)
  • 25. BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 25 CVE-2016-1019 (Bulletin.doc)CVE-2016-1019 (Bulletin.doc)
  • 26. BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 26 Payload “fetch” (Operation_in_Mosul.doc)Payload “fetch” (Operation_in_Mosul.doc)
  • 27. BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 27 Infection phase (Bulletin.doc)Infection phase (Bulletin.doc)
  • 28. BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 28 nshwmpfs.dll (runtime check)nshwmpfs.dll (runtime check)
  • 29. BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 29 nshwmpfs.dll (Carberp source)nshwmpfs.dll (Carberp source)
  • 30. BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 30 nshwmpfs.dll (string (de)obfuscation)nshwmpfs.dll (string (de)obfuscation)
  • 31. BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 31 nshwmpfs.dll (what it is all about?)nshwmpfs.dll (what it is all about?) Reconnaissance (first stage) malware (aka. JHUHUGIT) Downloading, execution and deletion of arbitrary files Collects basic data about the infected system and sends it (in encrypted form) to C&C In case that C&C server and/or operator finds the system “interesting” leaves command for downloading of second stage malware Second stage malware: SPLM (aka Xagent, aka CHOPSTICK) and AZZY (aka. ADVSTORESHELL, NETUI, EVILTOSS)
  • 32. BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 32 Appendix A: Servers (C&C)Appendix A: Servers (C&C) accgmail.com (mail server) 213.202.214.148 servicecdp.com (C&C - Bulletin.doc) 87.236.211.182 uniquecorpind.com (C&C / exploits - Operation_in_Mosul.doc) 62.113.232.196
  • 33. BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 33 Appendix B: Passive DNS / WHOISAppendix B: Passive DNS / WHOIS
  • 34. BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 34 Related workRelated work Palo Alto Networks, “‘DealersChoice’ is Sofacy’s Flash Player Exploit Platform”, Oct. 2016. Palo Alto Networks, “Let It Ride: The Sofacy Group’s DealersChoice Attacks Continue”, Dec. 2016. FireEye, “CVE-2016-4117: Flash Zero-Day Exploited in the Wild”, May. 2016. SonicWall, “Adobe Type Confusion Vulnerability CVE-2015-7645 Exploits in the Wild”, 2016. Trend Micro, “A Look Into Adobe Flash Player CVE-2016-1019 Zero-Day Attack”, Apr. 2016.
  • 35. BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 35 Questions?Questions?