SlideShare a Scribd company logo

Modern Reconnaissance Phase on APT - protection layer

Shakacon, profile picture
Shakacon

The document discusses 5 case studies of modern reconnaissance techniques used by advanced persistent threat (APT) actors. Each case study examines a different infection vector involving documents with embedded objects that first perform reconnaissance on the target system before deciding whether to deploy a final payload. The case studies demonstrate evolving tactics to avoid exposing valuable code and thwart analysis.

Technology
1 of 74
Downloaded 31 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
Modern reconnaissance phase by APT – protection layer
whoami • Paul Rascagneres – prascagn@cisco.com // @r00tbsd • Security Researcher at Cisco Talos • Malware & APT hunter for more than 7 years… • Co-Organizer of Botconf, the CFP is still opened ;-) https://www.botconf.eu/botconf-2017/call-for-papers-2017/
whoami • Warren Mercer – wamercer@cisco.com // @SecurityBeard • Security Researcher at Cisco Talos • I like looking at malware and finding it J • NetSec, Malware Analysis, Threat Intelligence. • Co-Founder of BSides Belfast, don’t go to France, come to Northern Ireland instead! https://www.bsidesbelfast.org
Agenda • Infection vector: reconnaissance evolution • 5 case studies • Maybe the beginning… • Mitigations • Conclusion • Technical bonus ( if nobody asks questions :P )
Infection vector: reconnaissance evolution
Infection vector: reconnaissance evolution • Why this presentation? • Few issues for APT actors: • Sandbox systems • Automatic analysis of malicious documents • Valuable code for APT actors: • Complex RAT framework • 0-day • Evolution: the infection vectors include mechanisms to avoid leaking 0-day, complex RAT framework or any valuable code to malware researchers/security companies
Case Study 1 - NATO
Case Study 1 • SHA256: ffd5bd7548ab35c97841c31cf83ad2ea5ec02c741560317fc9602a49ce36a763 • Filename: NATO secretary meeting.doc Matryoshka doll – Reconnaissance Framework
Case Study 1 • RTF document with a succession of embedded objects
Case Study 1 • First step: Reconnaissance via a first Flash object: A=t&SA=t&SV=t&EV=t&MP3=t&AE=t&VE=t&ACC=f&PR=t&SP=t&SB=f &DEB=t&V=WIN%209%2C0%2C0%2C0&M=Adobe%20Windows&R=16 00x1200&DP=72&COL=color&AR=1.0&OS=Windows%20XP&L=en&PT =ActiveX&AVD=f&LFD=f&WD=f&IME=t&DD=f&DDP=f&DTS=f&DTE=f &DTH=f&DTM=f HTTP request to the C&C (*note the /nato) Flash in ActiveX object Windows versionFlash version
Case Study 1 • Second step: if the collected data is good for the operator: Downloading of the Payload & Flash Exploit • if not: end of chain :’(
Case Study 1 • Third step: Flash loading and exploitation & payload execution On the fly Flash loading Shellcode variable
Case Study 1 • Cisco Umbrella helped us to identify DNS traffic associated with this C&C. The huge quantity of requests starting the 16th of January was performed by the security research community:
Case Study 2 – Dina Bosio
Case Study 2 • SHA256: 2299ff9c7e5995333691f3e68373ebbb036aa619acd61cbea6c5210490699bb6 • Filename: National Day Reception (Dina Mersine Bosio Ambassador’s Secretary).doc
• Macro Beginning of the encoded next stage JavaScript stage RC4 key in argument to the JavaScript stage Ca se S t ud y 2
• JavaScript Base64 function RC4 function Ca se S t ud y 2
Case Study 2 • Final payload Systeminfo net view net view /domain tasklist /v gpresult /z netstat -nao ipconfig /all arp -a net share | net use | net user net user administrator net user /domain net user administrator /domain set dir %systemdrive%Users*.* dir %userprofile%AppDataRoamingMicrosoftWindowsRecent*.* dir %userprofile%Desktop*.* tasklist /fi modules eq wow64.dll tasklist /fi modules ne wow64.dll dir %programfiles(x86)% dir %programfiles% dir %appdata% CC
Case Study 2 • Data sent to 2 compromised websites • If the data is good for the attacker, a PE32 file is download and executed (MailForm.pif) • If not: no final payload :’(
Case Study 3 – Survey Time!
Case Study 3 • SHA256: eb1f47c9f71d3fd2ff744a9454c256bf3248921fbcbadf0a80d5e73a0c6a82de • Filename: survey.xls
Case Study 3 • Macro • Creation of a VBS to execute a PowerShell Execution with a Schedule Task… No CreateProcess()
Case Study 3 CC
Case Study 3 • A batch file is downloaded from the C&C in order to collect information about the target system: • If the collected data is sufficient for the attacker a RAT is downloaded, if not: no final payload
Case Study 4 – Korean New Year
Case Study 4 • SHA256: 281828d6f5bd377f91c6283c34896d0483b08ac2167d34e981fbea871893c919 • Filename: 5170101-17년_북한_신년사_분석.hwp (5170101-17 __ North Korea _ New Year _ analysis .hwp)
Case Study 4 • Hangul Word Processor • A HWP document allegedly written by Korean Ministry of Unification • The document contains links to 2 OLE objects
Case Study 4 • The OLE objects drop 2 executables C:UsersADMINI~1AppDataLocalTempHwp (2).exe C:UsersADMINI~1AppDataLocalTempHwp (3).exe
Case Study 4 • First step : open a decoy document
Case Study 4 • Second step: collect information about the target - Computer name - Username - Execution path - BIOS Model (HKLMSystemCurrentControlSetServicesmssmbi osDataSMBiosData) • Purpose: to determine if target is suitable for attack
Case Study 4 • Example request (PCAP available on VirusTotal) Decoded data: 0F37555F#0#0#0#TEQUILABOOMBOOM#janetted oe#C:4b20883386665bd205ac50f34f7b6293747f d720d602e2bb3c270837a21291b4#innotek GmbH VirtualBox 1.2 Hostname username Execution path BIOS model
Case Study 4 • Third step: if the collected data is sufficient for the attacker: download & execute the final payload, if not: no payload (.jpg file) • The command & control is a compromised Korean governmental website: Korean Government Legal Service - www.kgls.or.kr/news2/news_dir/index.php (where the collected information is sent) - www.kgls.or.kr/news2/news_dir/02BC6B26_put.jpg (where 02BC6B26 is a random ID)
Global mapGlobal map
Case Study 5 - ROKRAT
Case Study 5 • From the official email contact of Korea Global Forum • Compromised & abused email • Email asking to complete attached document
Case Study 5 • Email asking for help from someone in North Korea • Attacker works on empathy
Case Study 5
Case Study 5 • EPS Object embedded within HWP document. • ZLIB Compression (Default with Hangul) • EPS Document is where the magic was, by magic, we mean exploit !
Case Study 5 • Extracted EPS object reveals the exploit • CVE-2013-0808 exploit used which is an EPS based overflow • Shellcode directly embedded in the EPS, using a NOP Sled (0x04) http://acddesigns[.]com[.]au/clients/ACPRCM/kingstone.jpg http://discgolfglow[.]com:/wp-content/plugins/maintenance/images/worker.jpg
Case Study 5 • Analysis Frustrations! This can complicated analysis and make it harder! Infinite loop of sleep on Windows XP or Windows Server 2003
Case Study 5 • Doh! More anti-analysis techniques used! Control of the running process to detect analysis tools • "mtool" for VMWare Tools • "llyd" for OllyDBG • "ython" for Python (Cuckoo Sandbox for example) • "ilemo" for File Monitor • "egmon" for Registry Monitor • "peid" for PEiD • "rocex" for Process Explorer • "vbox" for VirtualBox • "iddler" for Fiddler • "ortmo" for Portmon • "iresha" for Wireshark • "rocmo" for Process Monitor • "utoru" for Autoruns • "cpvie" for TCPView
Case Study 5 • Beginning to get annoying now… Right? Fake IOCs in analysis tools or sandbox, trying to confuse you! https://www[.]amazon[.]com/Men-War-PC/dp/B001QZGVEC/EsoftTeam/watchcom.jpg http://www[.]hulu[.]com/watch/559035/episode3.mp4
Case Study 5 • C&C Infrastructure, used for controlling compromised assets, ROKRAT brought their A Game. • CC #1: Twitter used • Traffic analysis can be difficult • Used 7 different hardcoded Twitter API Tokens for C2 • Used Update, Tweet & Search API functions
Case Study 5 • File exfiltration can be hard, normally. • CC #2: Yandex (Cloud storage platform) • Used for file/document exfiltration • Using API functionality again, this time 4 tokens identified • Performed over HTTPS
Case Study 5 • More file exfiltration! • CC #3: Mediafire (Cloud Platform) • Additional mechanism for file/document exfiltration • Single API token identified, again hard coded • HTTPS, again!
Case Study 5 • File/Document exfiltration was complimented, why not have everything? • Attacker implemented screen shot & key logging functionality.
Case Study Summary • Users. Users. Users. Users. Users. Users. Users. Users. • They’re the weak target in every case study. • Spear Phishing is a favoured method of infection through all, this results in small campaigns and less arousal of suspicion. • Innovation attempts to keep their exploits and capabilities private. • Target / Asset information collection – ensure their exploits are not wasted.
Maybe the beginning…
Maybe the beginning • No APT tools but could inspire some actors…. • MS Publisher documents • “Unlike other applications within the Microsoft Office suite, Microsoft Publisher does not support a 'Protected View' mode. This is a read only mode which can help end users remain protected from malicious document files. Microsoft Publisher is included and installed by default in Office 365.” • => http://blog.talosintelligence.com/2017/02/pony-pub-files.html
Maybe the beginning • No APT tools but could inspire some actors…. • “Yay! I use MacOS… I’m saved !! “ • Interesting sample: • sha256: 40c414fd75de6def664b3e953313125fc5e05628b6a2e07ded7634dc4f884666
Maybe the beginning • No APT tools but could inspired some actors…. • “Yay! I use MacOS… I’m saved !! “
Maybe the beginning macshell() + Python script ;)
Mitigations
Mitigations • Office Macro: • Disable Macro execution • New feature in Office 2016: https://blogs.technet.microsoft.com/mmpc/2016/03/22/new- feature-in-office-2016-can-block-macros-and-help-prevent- infection/ • PowerShell: • To restrict Execution Policy • Set-ExecutionPolicy -ExecutionPolicy Restricted
Mitigations • JavaScript / Wscript • To disable WSH • HKEY_LOCAL_MACHINESoftwareMicrosoftWindows Script HostSettingsEnabled => REG_DWORD = 0 • More generally • Keep your software up to date… • AppLocker (correctly configured!!! Don’t forget dll loading) • Device Guard / VBS
Mitigations • Monitoring of the usage of scripting languages • MacOS mitigations… • For Microsoft Office, see previous slides • For script control… … … no method
Conclusion
Conclusion • APT actors put more and more efforts to protect valuable code by performing reconnaissance before the final payload execution • In the near future: • more controls of the target’s relevance • CC used for reconnaissance alive for only few hours/days • 0-day & advanced RAT framework are expensive, the bad guys will improve the way to deliver its on the real targets (memory only/fileless/…) • New difficulties for malware researchers: without the last stage and the final payload, the investigations will be complicated and incomplete
Conclusion • Scripting languages on Windows are really trendy for APT campaigns: • PowerShell • JavaScript • Batch • … • These languages are native, embedded in Windows and powerful • Obfuscation is included almost « by design » for these languages • Monitoring is mandatory
Conclusion • If that target was already compromised in the past, the identification of the relevance is easier: • Is the domain name known from the previous compromise? • Is the OS version known from the previous compromise? • Is the network setup known from the previous compromise? • Is the available account setup known from the previous compromise? • … • In this context, bad guys know your internal infrastructure…
Technical Bonus
Technical Bonus
Technical Bonus • Powershell is an unmissable tool for malware developers… • How to automate Powershell analysis ? • Can we debug Powershell scripts with WinDBG ? YES we can
Technical Bonus We are here: cdb is the CLI
Technical Bonus • Usage of unmanaged code (for example dllimport) • Standard WinDBG breakpoint => bp kernelbase!VirtualAlloc • No specific WinDBG tricks, debug “as usual”
Technical Bonus • Usage of managed code == .NET framework 0:011> .loadby sos clr 0:011> !bpmd system.dll System.Diagnostics.Process.Start Found 6 methods in module 00007fff97581000... breakpoint: bp 00007FFF977C96D9 [System.Diagnostics.Process.Start(System. breakpoint: bp 00007FFF97E8057D [System.Diagnostics.Process.Start(System. breakpoint: bp 00007FFF97E80539 [System.Diagnostics.Process.Start(System. breakpoint: bp 00007FFF97E804B6 [System.Diagnostics.Process.Start(System. breakpoint: bp 00007FFF97E80436 [System.Diagnostics.Process.Start(System. System.String, breakpoint: bp 00007FFF977C72DA [System.Diagnostics.Proces Adding pending breakpoints... • SOS for .NET analysis + breakpoint
Technical Bonus • Usage of managed code == .NET framework Breakpoint 0 hit System_ni+0x2496d9: 00007fff`977c96d9 488d0d08711e00 lea rcx,[System_ni+0x4307e8 (00007fff`979b07e8)] 0:008> !CLRStack -p OS Thread Id: 0x2d34 (8) Child SP IP Call Site 000000a7f9ace700 00007fff977c96d9 System.Diagnostics.Process.Start(System.Diagnostics.ProcessStartInfo) PARAMETERS: startInfo (<CLR reg>) = 0x0000028cbd5faa18 • .NET breakpoint & arguments playing
Technical Bonus • Usage of managed code == .NET framework 0:008> !DumpObj /d 0000028cbd5faa18 Name: System.Diagnostics.ProcessStartInfo MethodTable: 00007fff979ae380 EEClass: 00007fff975e29f0 Size: 144(0x90) bytes File: C:WINDOWSMicrosoft.NetassemblyGAC_MSILSystemv4.0_4.0.0.0__b77a5c561934e089System.dll Fields: MT Field Offset Type VT Attr Value Name 00007fff9897de98 40027f3 8 System.String 0 instance 0000028cbd5fde18 fileName 00007fff9897de98 40027f4 10 System.String 0 instance 0000000000000000 arguments [...redacted...] 00007fff9897ad70 4002806 58 System.WeakReference 0 instance 0000000000 weakParentProces 00007fff979af0a0 4002807 60 ....StringDictionary 0 instance 000000 environmentVariables 00007fff982e5ec0 4002808 68 ...tring, mscorlib]] 0 instance 0000000000000 environment • .NET breakpoint & arguments playing
Technical Bonus • Usage of managed code == .NET framework 0:008> !DumpObj /d 0000028cbd5fde18 Name: System.String MethodTable: 00007fff9897de98 EEClass: 00007fff982d35f0 Size: 88(0x58) bytes File: C:WINDOWSMicrosoft.NetassemblyGAC_64mscorlibv4.0_4.0.0.0__b77a5c56 1934e089mscorlib.dll String: C:WINDOWSsystem32notepad.exe • .NET breakpoint & arguments playing
Technical Bonus • Usage of managed code == .NET framework 0:008> dp rcx+8 L1 0000028c`bd5faa20 0000028c`bd5fde18 0:008> du 0000028c`bd5fde18+0xC 0000028c`bd5fde24 "C:WINDOWSsystem32notepad.exe" • For geeks directly in RCX
Technical Bonus • Usage of managed code == .NET framework 0:011> .loadby sos clr 0:008> !bpmd system.dll System.Net.WebClient.DownloadFile Found 2 methods in module 00007fff97581000... MethodDesc = 00007fff976c1fe8 MethodDesc = 00007fff976c1ff8 Setting breakpoint: bp 00007FFF97DCAE0C [System.Net.WebClient.DownloadFile(System.Uri, System.String)] Setting breakpoint: bp 00007FFF97DCADBC [System.Net.WebClient.DownloadFile(System.String, System.String)] Adding pending breakpoints... • SOS for .NET analysis + breakpoint
Technical Bonus • Usage of managed code == .NET framework Breakpoint 7 hit System_ni+0x84adbc: 00007fff`97dcadbc 4885d2 test rdx,rdx • SOS for .NET analysis + breakpoint
Technical Bonus • Usage of managed code == .NET framework 0:008> du rdx+c 0000028c`bd53f13c "http://blog.talosintelligence.co" 0000028c`bd53f17c "m/" 0:008> du r8+c 0000028c`bd53f3b4 "c:usersluciferdesktopdemo.tx" 0000028c`bd53f3f4 "t" • SOS for .NET analysis + breakpoint
www.talosintelligence.com blog.talosintel.com @talossecurity @r00tbsd @SecurityBeard

More Related Content

PDF
XFLTReat: a new dimension in tunnelling
Shakacon
 
PPTX
Dock ir incident response in a containerized, immutable, continually deploy...
Shakacon
 
PDF
Introduction to red team operations
Sunny Neo
 
PPTX
Sticky Keys to the Kingdom
Dennis Maldonado
 
PPTX
Outlook and Exchange for the bad guys
Nick Landers
 
PDF
Csw2016 wang docker_escapetechnology
CanSecWest
 
PDF
Web Application Security Testing: Kali Linux Is the Way to Go
Gene Gotimer
 
PPTX
2016 TTL Security Gap Analysis with Kali Linux
Jason Murray
 
XFLTReat: a new dimension in tunnelling
Shakacon
 
Dock ir incident response in a containerized, immutable, continually deploy...
Shakacon
 
Introduction to red team operations
Sunny Neo
 
Sticky Keys to the Kingdom
Dennis Maldonado
 
Outlook and Exchange for the bad guys
Nick Landers
 
Csw2016 wang docker_escapetechnology
CanSecWest
 
Web Application Security Testing: Kali Linux Is the Way to Go
Gene Gotimer
 
2016 TTL Security Gap Analysis with Kali Linux
Jason Murray
 

What's hot (20)

PDF
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
PROIDEA
 
PPTX
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Lane Huff
 
PDF
1000 to 0
Sunny Neo
 
PDF
Socially Acceptable Methods to Walk in the Front Door
Mike Felch
 
PPTX
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
CODE BLUE
 
PDF
Tools kali
ketban0702
 
PPTX
Invoke-Obfuscation DerbyCon 2016
Daniel Bohannon
 
PPTX
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat Security Conference
 
PPTX
Kali presentation
Zain Ul abadin
 
PDF
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CanSecWest
 
ODP
2600 av evasion_deuce
Db Cooper
 
PDF
Internal Pentest: from z3r0 to h3r0
marcioalma
 
PPTX
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
Leonardo Nve Egea
 
PPTX
A Distributed Malware Analysis System Cuckoo Sandbox
Andy Lee
 
PDF
BlueHat v17 || Disrupting the Mirai Botnet
BlueHat Security Conference
 
PDF
HTTPプロクシライブラリproxy2の設計と実装
inaz2
 
PPTX
Invoke-Obfuscation nullcon 2017
Daniel Bohannon
 
PPTX
Shmoocon Epilogue 2013 - Ruining security models with SSH
Andrew Morris
 
PPTX
BSides_Charm2015_Info sec hunters_gathers
Andrew McNicol
 
PPTX
Nsa and vpn
antitree
 
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
PROIDEA
 
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Lane Huff
 
1000 to 0
Sunny Neo
 
Socially Acceptable Methods to Walk in the Front Door
Mike Felch
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
CODE BLUE
 
Tools kali
ketban0702
 
Invoke-Obfuscation DerbyCon 2016
Daniel Bohannon
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat Security Conference
 
Kali presentation
Zain Ul abadin
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CanSecWest
 
2600 av evasion_deuce
Db Cooper
 
Internal Pentest: from z3r0 to h3r0
marcioalma
 
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
Leonardo Nve Egea
 
A Distributed Malware Analysis System Cuckoo Sandbox
Andy Lee
 
BlueHat v17 || Disrupting the Mirai Botnet
BlueHat Security Conference
 
HTTPプロクシライブラリproxy2の設計と実装
inaz2
 
Invoke-Obfuscation nullcon 2017
Daniel Bohannon
 
Shmoocon Epilogue 2013 - Ruining security models with SSH
Andrew Morris
 
BSides_Charm2015_Info sec hunters_gathers
Andrew McNicol
 
Nsa and vpn
antitree
 
Ad

Similar to Modern Reconnaissance Phase on APT - protection layer (20)

PDF
Malware collection and analysis
Chong-Kuan Chen
 
PDF
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
DaveEdwards12
 
PPTX
Building your Open Source Security stack
Héctor Eryx Paredes Camacho
 
PDF
Super Easy Memory Forensics
IIJ
 
PPTX
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 
PPTX
Ethical hacking 101 - Singapore RSA 2019
Paul Haskell-Dowland
 
PPTX
Blue Teaming on a Budget of Zero
Kyle Bubp
 
PDF
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Priyanka Aash
 
PDF
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
RootedCON
 
PDF
Drupal, lessons learnt from real world security incidents
sydneydrupal
 
PPT
Nomura UCCSC 2009
dnomura
 
PPTX
Manual JavaScript Analysis Is A Bug
Lewis Ardern
 
PDF
Construye tu stack de ciberseguridad con open source
Software Guru
 
PDF
Crouching powerpoint, Hidden Trojan
Maarten Van Horenbeeck
 
PDF
Infosecurity.be 2019: What are relevant open source security tools you should...
B.A.
 
PDF
EMBA Firmware analysis - TROOPERS22
EMBA Firmware Analyzer
 
PPTX
4055-841_Project_ShailendraSadh
Shailendra Sadh - CISSP
 
PDF
Software Mining and Software Datasets
Tao Xie
 
PPTX
Security research over Windows #defcon china
Peter Hlavaty
 
PPTX
Threat hunting on the wire
InfoSec Addicts
 
Malware collection and analysis
Chong-Kuan Chen
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
DaveEdwards12
 
Building your Open Source Security stack
Héctor Eryx Paredes Camacho
 
Super Easy Memory Forensics
IIJ
 
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 
Ethical hacking 101 - Singapore RSA 2019
Paul Haskell-Dowland
 
Blue Teaming on a Budget of Zero
Kyle Bubp
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Priyanka Aash
 
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
RootedCON
 
Drupal, lessons learnt from real world security incidents
sydneydrupal
 
Nomura UCCSC 2009
dnomura
 
Manual JavaScript Analysis Is A Bug
Lewis Ardern
 
Construye tu stack de ciberseguridad con open source
Software Guru
 
Crouching powerpoint, Hidden Trojan
Maarten Van Horenbeeck
 
Infosecurity.be 2019: What are relevant open source security tools you should...
B.A.
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware Analyzer
 
4055-841_Project_ShailendraSadh
Shailendra Sadh - CISSP
 
Software Mining and Software Datasets
Tao Xie
 
Security research over Windows #defcon china
Peter Hlavaty
 
Threat hunting on the wire
InfoSec Addicts
 
Ad

More from Shakacon (20)

PDF
Web (dis)assembly
Shakacon
 
PDF
Macdoored
Shakacon
 
PDF
I can be apple and so can you
Shakacon
 
PDF
Cloud forensics putting the bits back together
Shakacon
 
PDF
Pwned in Translation - from Subtitles to RCE
Shakacon
 
PDF
Oversight: Exposing spies on macOS
Shakacon
 
PDF
Shamoon
Shakacon
 
PDF
A Decompiler for Blackhain-Based Smart Contracts Bytecode
Shakacon
 
PPTX
Honey, I Stole Your C2 Server: A Dive into Attacker Infrastructure
Shakacon
 
PDF
Reviewing the Security of ASoC Drivers in Android Kernel
Shakacon
 
PDF
Silent Protest: A Wearable Protest Network
Shakacon
 
PDF
WiFi-Based IMSI Catcher
Shakacon
 
PPTX
Sad Panda Analysts: Devolving Malware
Shakacon
 
PDF
reductio [ad absurdum]
Shakacon
 
PDF
Windows Systems & Code Signing Protection by Paul Rascagneres
Shakacon
 
PDF
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
Shakacon
 
PDF
The Search for the Perfect Door - Deviant Ollam
Shakacon
 
PDF
Swift Reversing by Ryan Stortz
Shakacon
 
PDF
Making a Scalable Automated Hacking System by Artem Dinaburg
Shakacon
 
PDF
Hunting Government Back Doors by Joseph Menn
Shakacon
 
Web (dis)assembly
Shakacon
 
Macdoored
Shakacon
 
I can be apple and so can you
Shakacon
 
Cloud forensics putting the bits back together
Shakacon
 
Pwned in Translation - from Subtitles to RCE
Shakacon
 
Oversight: Exposing spies on macOS
Shakacon
 
Shamoon
Shakacon
 
A Decompiler for Blackhain-Based Smart Contracts Bytecode
Shakacon
 
Honey, I Stole Your C2 Server: A Dive into Attacker Infrastructure
Shakacon
 
Reviewing the Security of ASoC Drivers in Android Kernel
Shakacon
 
Silent Protest: A Wearable Protest Network
Shakacon
 
WiFi-Based IMSI Catcher
Shakacon
 
Sad Panda Analysts: Devolving Malware
Shakacon
 
reductio [ad absurdum]
Shakacon
 
Windows Systems & Code Signing Protection by Paul Rascagneres
Shakacon
 
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
Shakacon
 
The Search for the Perfect Door - Deviant Ollam
Shakacon
 
Swift Reversing by Ryan Stortz
Shakacon
 
Making a Scalable Automated Hacking System by Artem Dinaburg
Shakacon
 
Hunting Government Back Doors by Joseph Menn
Shakacon
 

Recently uploaded (20)

PDF
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
PDF
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 
PDF
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
PDF
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
PPTX
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
PDF
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
PDF
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
Heart disease approach using modified random forest and particle swarm optimi...
IAESIJAI
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Web App vs Mobile App What Should You Build First.pdf
KodekX
 
PDF
project resource management chapter-09.pdf
ssuser00e6e21
 
PDF
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
PDF
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
PPTX
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
PPTX
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
August Patch Tuesday
Ivanti
 
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
A Presentation on Artificial Intelligence
memembruh336
 
Heart disease approach using modified random forest and particle swarm optimi...
IAESIJAI
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Web App vs Mobile App What Should You Build First.pdf
KodekX
 
project resource management chapter-09.pdf
ssuser00e6e21
 
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
August Patch Tuesday
Ivanti
 

Modern Reconnaissance Phase on APT - protection layer

  • 1. Modern reconnaissance phase by APT – protection layer
  • 2. whoami • Paul Rascagneres – prascagn@cisco.com // @r00tbsd • Security Researcher at Cisco Talos • Malware & APT hunter for more than 7 years… • Co-Organizer of Botconf, the CFP is still opened ;-) https://www.botconf.eu/botconf-2017/call-for-papers-2017/
  • 3. whoami • Warren Mercer – wamercer@cisco.com // @SecurityBeard • Security Researcher at Cisco Talos • I like looking at malware and finding it J • NetSec, Malware Analysis, Threat Intelligence. • Co-Founder of BSides Belfast, don’t go to France, come to Northern Ireland instead! https://www.bsidesbelfast.org
  • 4. Agenda • Infection vector: reconnaissance evolution • 5 case studies • Maybe the beginning… • Mitigations • Conclusion • Technical bonus ( if nobody asks questions :P )
  • 6. Infection vector: reconnaissance evolution • Why this presentation? • Few issues for APT actors: • Sandbox systems • Automatic analysis of malicious documents • Valuable code for APT actors: • Complex RAT framework • 0-day • Evolution: the infection vectors include mechanisms to avoid leaking 0-day, complex RAT framework or any valuable code to malware researchers/security companies
  • 7. Case Study 1 - NATO
  • 8. Case Study 1 • SHA256: ffd5bd7548ab35c97841c31cf83ad2ea5ec02c741560317fc9602a49ce36a763 • Filename: NATO secretary meeting.doc Matryoshka doll – Reconnaissance Framework
  • 9. Case Study 1 • RTF document with a succession of embedded objects
  • 10. Case Study 1 • First step: Reconnaissance via a first Flash object: A=t&SA=t&SV=t&EV=t&MP3=t&AE=t&VE=t&ACC=f&PR=t&SP=t&SB=f &DEB=t&V=WIN%209%2C0%2C0%2C0&M=Adobe%20Windows&R=16 00x1200&DP=72&COL=color&AR=1.0&OS=Windows%20XP&L=en&PT =ActiveX&AVD=f&LFD=f&WD=f&IME=t&DD=f&DDP=f&DTS=f&DTE=f &DTH=f&DTM=f HTTP request to the C&C (*note the /nato) Flash in ActiveX object Windows versionFlash version
  • 11. Case Study 1 • Second step: if the collected data is good for the operator: Downloading of the Payload & Flash Exploit • if not: end of chain :’(
  • 12. Case Study 1 • Third step: Flash loading and exploitation & payload execution On the fly Flash loading Shellcode variable
  • 13. Case Study 1 • Cisco Umbrella helped us to identify DNS traffic associated with this C&C. The huge quantity of requests starting the 16th of January was performed by the security research community:
  • 14. Case Study 2 – Dina Bosio
  • 15. Case Study 2 • SHA256: 2299ff9c7e5995333691f3e68373ebbb036aa619acd61cbea6c5210490699bb6 • Filename: National Day Reception (Dina Mersine Bosio Ambassador’s Secretary).doc
  • 16. • Macro Beginning of the encoded next stage JavaScript stage RC4 key in argument to the JavaScript stage Ca se S t ud y 2
  • 17. • JavaScript Base64 function RC4 function Ca se S t ud y 2
  • 18. Case Study 2 • Final payload Systeminfo net view net view /domain tasklist /v gpresult /z netstat -nao ipconfig /all arp -a net share | net use | net user net user administrator net user /domain net user administrator /domain set dir %systemdrive%Users*.* dir %userprofile%AppDataRoamingMicrosoftWindowsRecent*.* dir %userprofile%Desktop*.* tasklist /fi modules eq wow64.dll tasklist /fi modules ne wow64.dll dir %programfiles(x86)% dir %programfiles% dir %appdata% CC
  • 19. Case Study 2 • Data sent to 2 compromised websites • If the data is good for the attacker, a PE32 file is download and executed (MailForm.pif) • If not: no final payload :’(
  • 20. Case Study 3 – Survey Time!
  • 21. Case Study 3 • SHA256: eb1f47c9f71d3fd2ff744a9454c256bf3248921fbcbadf0a80d5e73a0c6a82de • Filename: survey.xls
  • 22. Case Study 3 • Macro • Creation of a VBS to execute a PowerShell Execution with a Schedule Task… No CreateProcess()
  • 24. Case Study 3 • A batch file is downloaded from the C&C in order to collect information about the target system: • If the collected data is sufficient for the attacker a RAT is downloaded, if not: no final payload
  • 25. Case Study 4 – Korean New Year
  • 26. Case Study 4 • SHA256: 281828d6f5bd377f91c6283c34896d0483b08ac2167d34e981fbea871893c919 • Filename: 5170101-17년_북한_신년사_분석.hwp (5170101-17 __ North Korea _ New Year _ analysis .hwp)
  • 27. Case Study 4 • Hangul Word Processor • A HWP document allegedly written by Korean Ministry of Unification • The document contains links to 2 OLE objects
  • 28. Case Study 4 • The OLE objects drop 2 executables C:UsersADMINI~1AppDataLocalTempHwp (2).exe C:UsersADMINI~1AppDataLocalTempHwp (3).exe
  • 29. Case Study 4 • First step : open a decoy document
  • 30. Case Study 4 • Second step: collect information about the target - Computer name - Username - Execution path - BIOS Model (HKLMSystemCurrentControlSetServicesmssmbi osDataSMBiosData) • Purpose: to determine if target is suitable for attack
  • 31. Case Study 4 • Example request (PCAP available on VirusTotal) Decoded data: 0F37555F#0#0#0#TEQUILABOOMBOOM#janetted oe#C:4b20883386665bd205ac50f34f7b6293747f d720d602e2bb3c270837a21291b4#innotek GmbH VirtualBox 1.2 Hostname username Execution path BIOS model
  • 32. Case Study 4 • Third step: if the collected data is sufficient for the attacker: download & execute the final payload, if not: no payload (.jpg file) • The command & control is a compromised Korean governmental website: Korean Government Legal Service - www.kgls.or.kr/news2/news_dir/index.php (where the collected information is sent) - www.kgls.or.kr/news2/news_dir/02BC6B26_put.jpg (where 02BC6B26 is a random ID)
  • 34. Case Study 5 - ROKRAT
  • 35. Case Study 5 • From the official email contact of Korea Global Forum • Compromised & abused email • Email asking to complete attached document
  • 36. Case Study 5 • Email asking for help from someone in North Korea • Attacker works on empathy
  • 38. Case Study 5 • EPS Object embedded within HWP document. • ZLIB Compression (Default with Hangul) • EPS Document is where the magic was, by magic, we mean exploit !
  • 39. Case Study 5 • Extracted EPS object reveals the exploit • CVE-2013-0808 exploit used which is an EPS based overflow • Shellcode directly embedded in the EPS, using a NOP Sled (0x04) http://acddesigns[.]com[.]au/clients/ACPRCM/kingstone.jpg http://discgolfglow[.]com:/wp-content/plugins/maintenance/images/worker.jpg
  • 40. Case Study 5 • Analysis Frustrations! This can complicated analysis and make it harder! Infinite loop of sleep on Windows XP or Windows Server 2003
  • 41. Case Study 5 • Doh! More anti-analysis techniques used! Control of the running process to detect analysis tools • "mtool" for VMWare Tools • "llyd" for OllyDBG • "ython" for Python (Cuckoo Sandbox for example) • "ilemo" for File Monitor • "egmon" for Registry Monitor • "peid" for PEiD • "rocex" for Process Explorer • "vbox" for VirtualBox • "iddler" for Fiddler • "ortmo" for Portmon • "iresha" for Wireshark • "rocmo" for Process Monitor • "utoru" for Autoruns • "cpvie" for TCPView
  • 42. Case Study 5 • Beginning to get annoying now… Right? Fake IOCs in analysis tools or sandbox, trying to confuse you! https://www[.]amazon[.]com/Men-War-PC/dp/B001QZGVEC/EsoftTeam/watchcom.jpg http://www[.]hulu[.]com/watch/559035/episode3.mp4
  • 43. Case Study 5 • C&C Infrastructure, used for controlling compromised assets, ROKRAT brought their A Game. • CC #1: Twitter used • Traffic analysis can be difficult • Used 7 different hardcoded Twitter API Tokens for C2 • Used Update, Tweet & Search API functions
  • 44. Case Study 5 • File exfiltration can be hard, normally. • CC #2: Yandex (Cloud storage platform) • Used for file/document exfiltration • Using API functionality again, this time 4 tokens identified • Performed over HTTPS
  • 45. Case Study 5 • More file exfiltration! • CC #3: Mediafire (Cloud Platform) • Additional mechanism for file/document exfiltration • Single API token identified, again hard coded • HTTPS, again!
  • 46. Case Study 5 • File/Document exfiltration was complimented, why not have everything? • Attacker implemented screen shot & key logging functionality.
  • 47. Case Study Summary • Users. Users. Users. Users. Users. Users. Users. Users. • They’re the weak target in every case study. • Spear Phishing is a favoured method of infection through all, this results in small campaigns and less arousal of suspicion. • Innovation attempts to keep their exploits and capabilities private. • Target / Asset information collection – ensure their exploits are not wasted.
  • 49. Maybe the beginning • No APT tools but could inspire some actors…. • MS Publisher documents • “Unlike other applications within the Microsoft Office suite, Microsoft Publisher does not support a 'Protected View' mode. This is a read only mode which can help end users remain protected from malicious document files. Microsoft Publisher is included and installed by default in Office 365.” • => http://blog.talosintelligence.com/2017/02/pony-pub-files.html
  • 50. Maybe the beginning • No APT tools but could inspire some actors…. • “Yay! I use MacOS… I’m saved !! “ • Interesting sample: • sha256: 40c414fd75de6def664b3e953313125fc5e05628b6a2e07ded7634dc4f884666
  • 51. Maybe the beginning • No APT tools but could inspired some actors…. • “Yay! I use MacOS… I’m saved !! “
  • 52. Maybe the beginning macshell() + Python script ;)
  • 54. Mitigations • Office Macro: • Disable Macro execution • New feature in Office 2016: https://blogs.technet.microsoft.com/mmpc/2016/03/22/new- feature-in-office-2016-can-block-macros-and-help-prevent- infection/ • PowerShell: • To restrict Execution Policy • Set-ExecutionPolicy -ExecutionPolicy Restricted
  • 55. Mitigations • JavaScript / Wscript • To disable WSH • HKEY_LOCAL_MACHINESoftwareMicrosoftWindows Script HostSettingsEnabled => REG_DWORD = 0 • More generally • Keep your software up to date… • AppLocker (correctly configured!!! Don’t forget dll loading) • Device Guard / VBS
  • 56. Mitigations • Monitoring of the usage of scripting languages • MacOS mitigations… • For Microsoft Office, see previous slides • For script control… … … no method
  • 58. Conclusion • APT actors put more and more efforts to protect valuable code by performing reconnaissance before the final payload execution • In the near future: • more controls of the target’s relevance • CC used for reconnaissance alive for only few hours/days • 0-day & advanced RAT framework are expensive, the bad guys will improve the way to deliver its on the real targets (memory only/fileless/…) • New difficulties for malware researchers: without the last stage and the final payload, the investigations will be complicated and incomplete
  • 59. Conclusion • Scripting languages on Windows are really trendy for APT campaigns: • PowerShell • JavaScript • Batch • … • These languages are native, embedded in Windows and powerful • Obfuscation is included almost « by design » for these languages • Monitoring is mandatory
  • 60. Conclusion • If that target was already compromised in the past, the identification of the relevance is easier: • Is the domain name known from the previous compromise? • Is the OS version known from the previous compromise? • Is the network setup known from the previous compromise? • Is the available account setup known from the previous compromise? • … • In this context, bad guys know your internal infrastructure…
  • 63. Technical Bonus • Powershell is an unmissable tool for malware developers… • How to automate Powershell analysis ? • Can we debug Powershell scripts with WinDBG ? YES we can
  • 64. Technical Bonus We are here: cdb is the CLI
  • 65. Technical Bonus • Usage of unmanaged code (for example dllimport) • Standard WinDBG breakpoint => bp kernelbase!VirtualAlloc • No specific WinDBG tricks, debug “as usual”
  • 66. Technical Bonus • Usage of managed code == .NET framework 0:011> .loadby sos clr 0:011> !bpmd system.dll System.Diagnostics.Process.Start Found 6 methods in module 00007fff97581000... breakpoint: bp 00007FFF977C96D9 [System.Diagnostics.Process.Start(System. breakpoint: bp 00007FFF97E8057D [System.Diagnostics.Process.Start(System. breakpoint: bp 00007FFF97E80539 [System.Diagnostics.Process.Start(System. breakpoint: bp 00007FFF97E804B6 [System.Diagnostics.Process.Start(System. breakpoint: bp 00007FFF97E80436 [System.Diagnostics.Process.Start(System. System.String, breakpoint: bp 00007FFF977C72DA [System.Diagnostics.Proces Adding pending breakpoints... • SOS for .NET analysis + breakpoint
  • 67. Technical Bonus • Usage of managed code == .NET framework Breakpoint 0 hit System_ni+0x2496d9: 00007fff`977c96d9 488d0d08711e00 lea rcx,[System_ni+0x4307e8 (00007fff`979b07e8)] 0:008> !CLRStack -p OS Thread Id: 0x2d34 (8) Child SP IP Call Site 000000a7f9ace700 00007fff977c96d9 System.Diagnostics.Process.Start(System.Diagnostics.ProcessStartInfo) PARAMETERS: startInfo (<CLR reg>) = 0x0000028cbd5faa18 • .NET breakpoint & arguments playing
  • 68. Technical Bonus • Usage of managed code == .NET framework 0:008> !DumpObj /d 0000028cbd5faa18 Name: System.Diagnostics.ProcessStartInfo MethodTable: 00007fff979ae380 EEClass: 00007fff975e29f0 Size: 144(0x90) bytes File: C:WINDOWSMicrosoft.NetassemblyGAC_MSILSystemv4.0_4.0.0.0__b77a5c561934e089System.dll Fields: MT Field Offset Type VT Attr Value Name 00007fff9897de98 40027f3 8 System.String 0 instance 0000028cbd5fde18 fileName 00007fff9897de98 40027f4 10 System.String 0 instance 0000000000000000 arguments [...redacted...] 00007fff9897ad70 4002806 58 System.WeakReference 0 instance 0000000000 weakParentProces 00007fff979af0a0 4002807 60 ....StringDictionary 0 instance 000000 environmentVariables 00007fff982e5ec0 4002808 68 ...tring, mscorlib]] 0 instance 0000000000000 environment • .NET breakpoint & arguments playing
  • 69. Technical Bonus • Usage of managed code == .NET framework 0:008> !DumpObj /d 0000028cbd5fde18 Name: System.String MethodTable: 00007fff9897de98 EEClass: 00007fff982d35f0 Size: 88(0x58) bytes File: C:WINDOWSMicrosoft.NetassemblyGAC_64mscorlibv4.0_4.0.0.0__b77a5c56 1934e089mscorlib.dll String: C:WINDOWSsystem32notepad.exe • .NET breakpoint & arguments playing
  • 70. Technical Bonus • Usage of managed code == .NET framework 0:008> dp rcx+8 L1 0000028c`bd5faa20 0000028c`bd5fde18 0:008> du 0000028c`bd5fde18+0xC 0000028c`bd5fde24 "C:WINDOWSsystem32notepad.exe" • For geeks directly in RCX
  • 71. Technical Bonus • Usage of managed code == .NET framework 0:011> .loadby sos clr 0:008> !bpmd system.dll System.Net.WebClient.DownloadFile Found 2 methods in module 00007fff97581000... MethodDesc = 00007fff976c1fe8 MethodDesc = 00007fff976c1ff8 Setting breakpoint: bp 00007FFF97DCAE0C [System.Net.WebClient.DownloadFile(System.Uri, System.String)] Setting breakpoint: bp 00007FFF97DCADBC [System.Net.WebClient.DownloadFile(System.String, System.String)] Adding pending breakpoints... • SOS for .NET analysis + breakpoint
  • 72. Technical Bonus • Usage of managed code == .NET framework Breakpoint 7 hit System_ni+0x84adbc: 00007fff`97dcadbc 4885d2 test rdx,rdx • SOS for .NET analysis + breakpoint
  • 73. Technical Bonus • Usage of managed code == .NET framework 0:008> du rdx+c 0000028c`bd53f13c "http://blog.talosintelligence.co" 0000028c`bd53f17c "m/" 0:008> du r8+c 0000028c`bd53f3b4 "c:usersluciferdesktopdemo.tx" 0000028c`bd53f3f4 "t" • SOS for .NET analysis + breakpoint