What's going on out there?

Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL
1 July 09, 2013 Glenn P. Edwards Jr. Senior IR Consultant SANS DFIR Summit What’s going on out there?

2 Agenda • General trends • Infection vectors • Command & Control (C2) • Common victims • Case examples • Demos • Q&A http://media.tumblr.com/tumblr_lh1urdZQ3E1qd9o7r.gif

3 Agenda • General trends • Infection vectors • Command & Control (C2) • Common victims • Case examples • Demos • Q&A

4 $ whoami $ id uid=1000(Senior IR Consultant) gid=1000(FireEye) groups=1(Labs-IR) $ more Glenn – Have some fancy letters after my name • M.S. in Digital Forensics • B.S. in Information Security & Privacy – I’m around… • @hiddenillusion • hiddenillusion.blogspot.com

5 Most commonly seen APT malware

6 Most commonly seen APT malware Industry Highest infection rate Education Backdoor.APT.Gh0stRat High Tech Backdoor.APT.Gh0stRat Manufacturing & Construction Backdoor.APT.Gh0stRat Aerospace/Defense/Airlines Backdoor.APT.Dalbot Financial Backdoor.APT.SearchNews http://24.media.tumblr.com/tumblr_lj9bkuk7Re1qdg4auo1_r1_400.jpg

7 $ find / -type d -group malware -exec ls {} \; • %temp% • %appdata% • %windir%\System32 • %systemdrive% • %allusersprofile% • %commonprogramfiles%

8 …what should I call myself? • (wide-net) – UPS, DHL, Airline Confirmation • Custom created documents to look appealing to certain users – Conference notice.pdf_______________________________________________.exe • Infect internal documents • Leverage different character encodings • Commonly used application names/updaters – Google, Adobe, Skype • Closely mimic system files – svchost.exe, ctfmon.exe, dw20.exe, iexplorer.exe

9 Suspected stolen document – Who is the document owner?

10 File names from a distance

11 #trendy U+043E Only showing Unicode version Real ‘hosts’ file is hidden Malicious Unicode ‘hosts’ file

12 File types • Small, purpose-built tools • Custom malware built that only has one or two functions to serve a very specific purpose • Executable code not in executable formats to evade network/disk detection • Self-Extracting Archives (SFX)

13 Persistence • Same old Registry keys – *Run*, Userinit etc. • Windows Startup folder • Search order hijacking • Windows services • Trojanized system files • Scheduled tasks • Creating multiple copies of itself • Infecting update programs

14 User-Agents • Dynamic • Outdated – Mozilla/4.0 (compatible; MSIE 5.0; Windows 98) • Outliers – IE • NSIS

15 Characteristics / behavior • Profiling – /cgi-bin/cmd.cgi?user_id=*&version_id=*&socks=*&version=*&crc=* • Adding exception to Windows firewall – netsh firewall add allowedprogram "C:\Documents and Settings\<user>\Local Settings\Temp\Trojan.exe" "Trojan.exe" ENABLE • Trying to detect automated analysis – User interaction (e.g. - mouse clicks) – A lot of sleeping going on… • Scheduling files to be renamed/deleted upon reboot – HKLM\SYSTEM\ControlSet00#\Control\Session Manager\"PendingFileRenameOperations" • Proxy aware • More in-memory malicious code – Trojan.APT.Seinup • Local privilege escalation – Copy security token

17 Where’s it all coming from? • E-mail • Watering holes • Spear Phishing • Compromised update servers • Drive-bys

18 What’s being targeted? • E-mail – Malicious URLs – Archives with EXE’s – Password protected archives – Malicious documents • CVE-2012-0158 • Watering holes – CVE-2011-3544, CVE-2012-4792, CVE-2013-0422, CVE- 2013-1288 • Compromised update servers • Drive-bys – Plugins (JAVA, PDF, SWF …)

19 Content-Type: application/pdf; name=“Important.pdf” Content-Transfer-Encoding: base64 #trendy Email having attachment specified via ‘Content-Type’ instead of ‘Content-Disposition’ Content-Type: application/pdf; name=“Important.pdf” Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=“Important.pdf“ I see you…

21 C2 stats • TCP used 76% of the time • 68% of C2 traffic was to an IP address • Dynamic DNS

22 #trendy • ZeroAccess utilizing maxmind for location • Connection attempts to public mail servers when C2 isn’t accessible to test for connectivity

23 It’s going, going…it’s gone • Port 80/TCP • HTTP GET/POST requests with XOR-ish bodies • Base64 – Backdoor.APT.LV – C&C Channel comms • Extensions of files requested don’t match magic • Custom – Scrambled Base64 character set • Trojan.APT.LetsGo, Backdoor.APT.Merong – Base64 with digital signature • APT.Seinup

24 So where’s it all going? Attackers are increasingly sending initial callbacks to servers within the same nation in which the target resides Top 5 nations hosting C2 servers United States 25% South Korea 7% China 5% Russia 5% Ukraine 4%

25 So where’s it all going? Average total callbacks per company summarized by region Regional callback volumes North America 44% APAC 24% Eastern Europe 22% Western Europe 7% Latin America 3% http://siliconangle.com/files/2012/09/honeynet-project-honeymap-screenshot.png

26 #trendy • Utilizing more legitimate channels to get cmds – Twitter – Facebook – Baidu – Message boards • Using proxies for traffic – Google Docs – URL shortening services • Embedded info. inside common files – (e.g. – JPGs) for data exfil.

28 Common victims Industry Percentage Education 18% High Tech 16.8% Manufacturing & Construction 12.6% Aerospace/Defense/Airlines 9% Financial 7.5% https://i.chzbgr.com/maxW500/6266462720/hAFAF8AAB/

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL
Copyright © 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL Typical APT Infection Vectors Case example #1 – Update Infector

Update Infector : Overview Category Notes Delivery RAT Files dropped DLL & EXE Persistence DLL injection http://www.funnychix.com/pix/funny-pictures-infection.jpg

32 Update Infector - uploaded tools Imports: Normal After injection • Kernel32.dll • GetProcAddress Imports: • Kernel32.dll • GetProcAddress • sxsrv.dll • Looper setupp.exe -i <benign file> sxsrv.dll Looper DLL injector Benign file to inject (-i) DLL to add DLL function to use …snip… …snip…

33 Update Infector - applications of interest • %localappdata%\ – Google\Update\GoogleUpdate.exe • %programfiles%\ – Common Files\Java\Java Update\jusched.exe – Adobe\Acrobat X.X\Acrobat\AdobeUpdate.exe – Adobe\Reader X.X\Reader\AcroTray.exe – Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe – iTunes\iTunesAdmin.exe

34 Update Infector - attack tools process flow Benign file is now infected Loads function of inserted DLL Beacons to C2 Attacker sends commands back to victim Data sent back to attacker

35 Update Infector - custom PCAP decoder Malicious binary Reversed to find XOR key Reversed each cmd byte in PCAP Custom PCAP decoder created Encoded traffic reversed

36 Update Infector - custom PCAP decoder cmd bytes XOR key applied

Trojan.APT.BaneChant : Overview Category Notes Exploit CVE-2012-0518 C2 • Proxied via URL shortening service • Connected to DynDNS site Delivery Word document Files dropped GoogleUpdate.exe Protection XOR Persistence User’s Startup folder

Trojan.APT.BaneChant : Overview 3 – FireEye article released on April 1, 2013 1 – CVE published April 10, 2012 4 – A/V coverage increased by 7 more vendors on April 5, 2013 2 – 2 A/V vendors had coverage on March 15, 2013

40 1 - Spear-phishing document opened Trojan.APT.BaneChant : Stage 1 2 – Callback to proxy 3 – Redirect to C2 4 – XOR encoded EXE downloaded %temp%\moo#.exe

41 1 - Callback to proxy Trojan.APT.BaneChant : Stage 2 2 – Redirect to C2 3 – Obfuscated code downloaded GoogleUpdate.exe %temp%\moo#.exe %temp%\moo#.exe

43 Trojan.APT.Seinup : Overview Category Notes Exploit CVE-2012-0518 C2 • Proxied via Google Docs • Custom Base64 with salted digital signature Delivery Word document Files dropped iexp1ore.exe, wab.exe, wab32res.dll Protection XOR, encrypted/compressed on disk Persistence Windows service

44 %temp%\wab32res.dll 1 - Spear-phishing document opened Trojan.APT.Seinup 2 – Creates & drops %temp%\wab.exe, %temp%\iex1ore.exe, %temp%\Wor.doc %temp%\wab32res.dll 3 – Executes 4 – DLL sideloading 5 – Duplicates & registers as a service %windir%\msnetrsvw.exe %temp%\wab.exe %temp%\wab.exe %temp%\wab32res.dll 6 – Callback to proxy %windir%\msnetrsvw.exe 7 – Redirect to C2

45 Trojan.APT.Seinup Proxy to C2 site Parse cmds

47 $ glenn -h To ask a question, raise your hand as such:

What's going on out there?

What's going on out there?

More Decks by hiddenillusion

Other Decks in Technology

Featured

Transcript