# Let's go with a Go RAT! ###### Dec 2018� Yoshihiro Ishikawa� ----- #### • Organization: LAC Co.,Ltd.(lac.co.jp) • Department: Cyber Emergency Center • Job Title: Cyber Threat Analyst and handler ### Yoshihiro Ishikawa (CISSP) #### • Department: Cyber Emergency Center • Job Title: Cyber Threat Analyst and handler ----- #### n Purpose n A study of Go language (GoLang) n wellmess and its detail n wellmess C2 traffic simulation (DEMO) n Prevention method n Conclusion ----- ###### n wellmess malware and its botnet is currently still categorized as an unknown Golang malware n several incident cases that we handled from January 2018 n Not detected[2] by security software until we published analysis report[1] about June 2018 #### We would like to introduce the analysis result of "wellmess" And now hopefully will be useful to prevent the attack in the future. ----- based on advanced security technologies. CYBER - EDUCATION - PENTEST - JSOC - 119 - CONSULTING ## A study of Golang executable� ----- ###### n Go[3] is an open source programming language developed by #### Google Inc. in 2009, in our presentation we call it as “GoLang”. ###### n Current stable version 1.11.2 n Run on various platforms such as Linux, Mac, Windows, Android n Golang malware n Mirai(C2/Server) is one of the most famous n Otherwise such as Lady[4], GoARM.Bot[5], Go Athena RAT[6], Encriyoko[7], ----- ###### n Go executables is huge file size (even packed by UPX[8] < 4Mb) n Function name is left intact in the executable files (in many cases) n The character string becomes one continuous block (go1.8 higher) Not stripped ----- ###### The function names can be specified by using IDAGolangHelper[9] in IDA Pro[11]. Before After Rename functions ----- ###### Not every string-blob can be separated IDAGolangHelper, so we need to do it manually ###### Not every string-blob can be separated IDAGolangHelper, so we need to do it manually Possible split values Impossible ----- based on advanced security technologies. CYBER - EDUCATION - PENTEST - JSOC - 119 - CONSULTING ## wellmess and its detail� ----- ###### wellmess is a RAT coded on GoLang on multiple platform operating systems. n C2 Functions n Command Execution (RCE) n File Upload and Download n Identification n Lang: GoLang (main) & .Net (minor version only) n Type: Windows 32/64-bit Executable(these main slides) & ELF x64 (Appendix:C) n Characteristic: n Compiled with Ubuntu (go1.8.3), Windows (go1.8) n "wellmess” naming is coming from "Welcome Message” (attacker’s thought) ----- #### Does he means choice? Does he means welcome message? Does he means Mozilla? ----- ###### different package name C2 server Supports Japanese, Korean and Chinese ----- #### Each wellmess had a different User-Agents hard-coded. ###### n Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36 n Mozilla/5.0 (X11; U; Linux x86_64; ja-JP; rv:1.9.2.16) Gecko/20110323 Ubuntu/10.10 (maverick) Firefox/3.6.16 n Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, Like Gecko) Version/7.03 Safari/7046A194A n Mozilla/5.0 (X11; OpenBSD amd64; rv:28.0) Gecko/20100101 Firefox/28.0 n Mozzila/5.0 (Windows NT 6.1; WOW64; rv:56.0) Gecko/20100101 Firefox/ 56.0 n Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; ----- ###### welmess doesn’t have lateral movement function, for that purpose the attacker was using another tool, in some cases they used gost[13], a tunneling tools written by Golang Victim Attacker ----- ###### dnSpy[13] (too long, redacted) Payload(DLL file) is encrypted Replace strings and Base64, decrypt RC6 Payload DLL file is loaded and executed using AppDomain CreateInstanceAndU nwrap method ----- ###### .NET version RCE is also using Powershell Has similar functions methods which are not found in the ----- |Functions|Golang (mostly spotted)|.NET (several cases only)| |---|---|---| |Support OS|Windows, Linux, (NAS)|Windows| |Encryption|RC6, AES, RSA, obfuscation|RC6, AES, RSA, obfuscation| |Bot commands|Command Execution File Upload and Download|Command Execution File Upload and Download| |How to Command Exec|CMD (Windows) Execve (Linux)|PowerShell, CMD| |C2 Protocol|HTTP, POST, Cookie|HTTP, POST, Cookie| |Packer|UPX or none|Original Packer (bytes obfuscator)| |Latest version(ITW) #Virus Total First Submission|2018-10-02|2018-07-25| ###### Functions Golang (mostly spotted) .NET (several cases only) Support OS Windows, Linux, (NAS) Windows Encryption RC6, AES, RSA, obfuscation RC6, AES, RSA, obfuscation Bot commands Command Execution Command Execution File Upload and Download File Upload and Download How to Command Exec CMD (Windows) PowerShell, CMD Execve (Linux) C2 Protocol HTTP, POST, Cookie HTTP, POST, Cookie Packer UPX or none Original Packer (bytes obfuscator) Latest version(ITW) 2018-10-02 2018-07-25 #Virus Total First Submission ----- |Functions|Golang (mostly spotted)|.NET (several cases only)| |---|---|---| |Support OS|Windows, Linux, (NAS)|Windows| |Encryption|RC6, AES, RSA, obfuscation|RC6, AES, RSA, obfuscation| |Bot commands data.re|Command Execution place("+", " ").replace(" ", File Upload and Download|Command Execution "=").replace(". ", "").replace(" File Upload and Download| |", "").r How to Command Exec|eplace(",", "+").replace(":", CMD (Windows) Execve (Linux)|"/") reference by JPCERT/CC [15] PowerShell, CMD| |C2 Protocol|HTTP, POST, Cookie|HTTP, POST, Cookie| |Packer|UPX or none|Original Packer (bytes obfuscator)| |Latest version(ITW) #Virus Total First Submission|2018-10-02|2018-07-25| ###### Functions Golang (mostly spotted) .NET (several cases only) Support OS Windows, Linux, (NAS) Windows Encryption RC6, AES, RSA, obfuscation RC6, AES, RSA, obfuscation Bot commands Command Execution Command Execution data.replace("+", " ").replace(" ", "=").replace(". ", "").replace(" File Upload and Download File Upload and Download ", "").replace(",", "+").replace(":", "/") reference by JPCERT/CC [15] How to Command Exec CMD (Windows) PowerShell, CMD Execve (Linux) C2 Protocol HTTP, POST, Cookie HTTP, POST, Cookie Packer UPX or none Original Packer (bytes obfuscator) Latest version(ITW) 2018-10-02 2018-07-25 #Virus Total First Submission ----- ###### wellmess uses tags in XML format to communicate tag C2 commands Following is regular expression matching rules of the tags #### Golang version ; ?P key ; *? ; ?P value *? ; ; *?; < ( < >[^ ] ) >( < >[^<] )< [^ ] > .NET version ; ? key ; *? ; ? value *? ; ; *?; < ( < >[^ ] ) >( < >[^<] )< [^ ] > ----- |ot commands�|Col2|Col3| |---|---|---| |Tag|Command|Functions| |<;head;>|C|Used with <;service;> tag| ||G|C2 server acceptance| |<;service;>|p|(Re)Initialize AES key and Sending Host Info| ||fu|File upload (from C2 to bot)| ||fd|File download (from bot to C2)| ||m|Change the division size per communication| ||u|Change user-agent| |||| ||a:x_x|Item number information of divided communication| ###### Tag Command Functions <;head;> C Used with <;service;> tag G C2 server acceptance <;service;> p (Re)Initialize AES key and Sending Host Info fu File upload (from C2 to bot) fd File download (from bot to C2) m Change the division size per communication u Change user-agent <;title;> a:x_x Item number information of divided communication rc Waiting C2 command ----- ###### AOyniCcS=1bLTL+NuPy0+%2CeDJx+1Q%2Cm0+1zZ8a+uj84J+VLbRk+tYH8v+pCeL6+gRkR; D9y5yGqO=G +B%3AbW%3Ao.+Y8GDHj+K2QKny+WZ2vQZ+L1v84h+p3P1qT.+Z8auj8+4JVLbR+ktYH8v+pCfbOO+ZDq5 77.+LySyuj+30PqHX+%2CXho8Z+YzBMr8+tQIevh.+rxEbIz+OVIVRP+x9DfH6+duxldn+PKi3f4.+y%2CI6td+ RfavbR+67eQVw+twTN%3AI+HB1vPy.+hWzm2f+ASQlzB+Jiz9pt+EzNRQA+fRv1mL.+pziFHi+vzbux9+VA2 zkY+8Ve9rz+T0u8jb.+1LH0%2Cx+WDpcVw+TIJjDV+5Dy6Mx+GTUarDtVk+++ Decrypted Cookie header #### ;head; 57494e2d3550464b544835345154517c636f6e < > 736f6c657c57494e2d3550464b544835345154517c757 36572e3b0c44298fc1c149afbf4c8996fb92427ae41e46 49b934ca495991b7852b855 p ;head; ;title; a 1 0 ;title / < >< > : _ < ----- ###### Bot C2 There are 4 steps until command & control communication 1 1.Bot sends AES + iv + Host Information 1’ 2 1ʼ.C2 acceptance� 2’ 3 2.Bot sends Host Information 3’ 4 2ʼ.C2 acceptance 4’ 3.Bot sends ready signal to RCE 3ʼ.C2 send RCE We must prepare the 4.Bot sends result of RCE hard-coded RC6 key and ----- ###### Bot C2 Cookie Header: Infected Host Information in RC6 1 POST Body: AES + iv in RSA public key ----- |“|p” means Initial phase| |---|---| ###### Bot C2 1 “p” means Initial phase Phase 1 of 2 ----- |Col1|Col2|Col3|Col4|Col5|Col6| |---|---|---|---|---|---| ||||||| ||||||| ||||||| ||||||| ||||||| ||||||| ###### Bot C2 NULL of SHA256 hash 1 HexDump Infected PC Information ----- ###### Bot C2 1 ----- ###### Bot C2 1 Cookie Header: C2 Server 1’ response in RC6 “G” means just received ----- ###### Bot C2 Cookie Header: Infected Host Information in RC6 1 1’ 2 POST Body: Host Information in RSA public key ----- ###### Bot C2 1 1’ 2 Phase 2 of 2 ----- ###### Bot C2 1 1’ 2 Computer Mode User User Name Domain Name ----- ###### Bot C2 Cookie Header: standby to receive C2 Command 1 1’ 2 2’ 3 POST Body: It looks like no data is included ----- ###### Bot C2 1 1’ 2 2’ 3 “rc” means to standby receiving C2 command ----- ###### Bot C2 1 1’ 2 POST Body: 2’ 3 C2 Command in AES 3’ ----- ###### Bot C2 Cookie Header: split block number in RC6 1 1’ 2 2’ 3 3’ 4 ----- ###### Bot C2 1 1’ 2 2’ 3 3’ Phase 1 of 1 4 ----- ###### Bot C2 The Japanese font is garbled ----- based on advanced security technologies. CYBER - EDUCATION - PENTEST - JSOC - 119 - CONSULTING ## wellmess C2 traffic simulation DEMO� ----- ###### n It is forbidden in Japan to share any form of any malicious code #### without the written acknowledgement from and to the law enforcement. ###### n In this demonstration there is a possibility the used PoC code can be #### misused to control a real alive malware, there is a risk for malicious used if this PoC leaks, it is considered as malicious code. ###### n Due the circumstances above, we can not share the source code #### used for this demonstration, however, this demonstration itself is explaining enough details to proofing the concept of the C2 communication traffic/protocol used by wellmess malware. ----- ###### n C2 traffic connection in network detection n wellmess traffic detect at using Suricata[16] or snort[17] alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"wellmess C2 traffic detection!"; content:"Accept-Encoding|3a 20|gzip"; content: "POST / HTTP/1.1"; pcre:"/Cookie\x3a [a- zA-Z0-9]{8}=/"; content:"Content-Type|3A| application|2F|x-www-form-urlencoded|3b| charset|3d|utf-8"; sid:1000000;) n Static and dynamic detection n YARA[18] n wellmess malware can be detected and identified. By the YARA rule (will be introduce next slide) n EDR ----- ###### For Golang For .NET rule wellmess_go { rule chatbot_net { meta: meta: author = "LAC Co., Ltd." author = "LAC Co., Ltd." strings: strings: $mz = { 4D 5A } $mz = { 4D 5A } $elf = {7F 45 4C 46} $str = "Start bot" wide $str1 = "botlib.FromNormalToBase64" $str2 = "ROL" $str2 = "botlib.AES_Encrypt" $str3 = "ROR" $str3 = "botlib.UnpackB" $str4 = "FromBase64ToNormal" $str4 = "botchat.go" $str5 = "FromNormalToBase64" $str5 = "choise.go" $str6 = "SSL" $str6 = "wellmess.go" condition: condition: ($mz at 0) and all of them ----- ###### Windows Defender ATP[19] Machine Timeline ----- ###### n wellmess is a RAT coded on GoLang and .NET, a RAT ### controlled by the C2 botnet. ###### n We have confirmed some cases where wellmess infection ### was found in targeted organizations. So, Attacks using the malware may continue in other countries. ###### n For the information sharing with OPSEC on a global ### scale, you are more than welcome to contact us ! ----- ###### 1. https://www.lac.co.jp/lacwatch/pdf/20180614_cecreport_vol3.pdf 2. https://www.virustotal.com/ja/file/ 0b8e6a11adaa3df120ec15846bb966d674724b6b92eae34d63b665e0698e0193/analysis/ 3. https://golang.org/ 4. https://news.drweb.com/show/?i=10140&lng=en 5. http://blog.0day.jp/2014/09/linuxgoarmbot.html 6. https://blog.talosintelligence.com/2017/02/athena-go.html#more 7. https://www.symantec.com/connect/blogs/malware-uses-google-go-language 8. https://upx.github.io/ 9. https://github.com/sibears/IDAGolangHelper 10. https://www.hex-rays.com/products/ida/ 11. https://www.paterva.com/web7/ 12. https://github.com/ginuerzh/gost 13. https://github.com/0xd4d/dnSpy 14. https://blogs.jpcert.or.jp/en/2018/07/malware-wellmes-9b78.html 15. https://suricata-ids.org/ 16. https://www.snort.org/ 17 http://virustotal github io/yara/ ----- ###### n Golang n efda5178286678794b40987e66e686ce n 6fd56f2df05a77bdfd3265a4d1f2abac n b981736a057b888170148a91bcd86a59 n 579d3af1b487ea3c442870eabe886a4f n .NET n 98fe909510c79b21e740fec32fb6b1a0 n 4a2b8954695b32322508e844ff7e74f5 ----- ###### Initial communication ----- ###### Receive response & Bot process ----- ###### Execute Bot Command ----- ###### Continue Bot Command ----- based on advanced security technologies. CYBER - EDUCATION - PENTEST - JSOC - 119 - CONSULTING ##### Thank you. Any Questions ? -----